Overview
AppOmni Common Event Schema (ACES) is a specification that defines a common set of fields used when storing and evaluating event data in AppOmni.
ACES specifies field names, data types, required enums, and contextual information such as field descriptions, examples, and a JSONSchema specification.
The goal of ACES is to facilitate AppOmni users in their ability to analyze, visualize, correlate, and detect on event data being surfaced by SaaS applications.
Normalization to other schemas
ACES will, on a best-effort basis document suggested mappings for other event schemas such as the Open Cybersecurity Schema Framework (OCSF).
In its present form; ACES is largely compatible with Elastic Common Schema (ECS). However, there are some minor differences in field usage and the introduction of fields not present in ECS that may complicate 1:1 parity.
Maturity
ACES follows Semantic Versioning.
The version of any given event blob can be found in the top-level version field.
Application
Top Level Fieldset: True
This field set refers to any integration to an application, including connections to an API.
Application Fields
application.domain
Required Field: False
Type: STRING
Example: example.com
Detection Supported Field: True
The domain name of the application.
application.id
Required Field: False
Type: STRING
Example: 5A4232E1
Detection Supported Field: True
Unique ID of the application.
application.name
Required Field: False
Type: STRING
Example: User Activity API
Detection Supported Field: True
The name or description of the application.
application.path
Required Field: False
Type: STRING
Example: /users/active?pageSize=100
Detection Supported Field: True
The URI of the application or API endpoint, which can include parameters.
application.scopes
Required Field: False
Type: ARRAY
Example: ['create users', 'edit users']
Detection Supported Field: True
The scopes required by the application.
application.version
Required Field: False
Type: STRING
Example: 2.01
Detection Supported Field: True
The version of the application.
AppOmni
Top Level Fieldset: True
Contains fields related to the service, organization, and collection of an event.
AppOmni Fields
appomni.alert.channel
Required Field: False
Type: STRING
Example: prod
Detection Supported Field: False
The channel of a rule is determined by the stage of the rule lifecycle.
Allowed Values
| Name | Description |
|---|---|
prod | Reflects rule that has been made Generally Available to AppOmni Customers. |
beta | Reflects rule that is in beta. |
testing | Reflects rule that is in development. |
ao_only_prod | Rule for internal AppOmni usage that is in production. |
ao_only_beta | Rule for internal AppOmni usage that is in beta. |
ao_only_testing | Rule for internal AppOmni usage that is in testing. |
appomni.event.collected_time
Required Field: False
Type: DATETIME
Example: 2022-11-17T06:33:55.589Z
Detection Supported Field: False
Timestamp when the event was collected by AppOmni.
appomni.event.dataset
Required Field: True
Type: STRING
Example: appomni_qa
Detection Supported Field: True
The dataset of the event. A dataset is generally a collection of similar events.
Allowed Values
| Name | Description |
|---|---|
onepassword_auditlog | OnePassword Audit Events |
ao_auditlogs | AppOmni Audit Events |
ao_canary | AppOmni Canary Events |
appomni_alert | AppOmni Alerts |
appomni_event | AppOmni Events |
appomni_qa | AppOmni QA Events |
arista_auditlog | Arista Audit Events |
asana_eventlog | Asana Audit Events |
auth0_auditlog | Auth0 Audit Events |
bitbucket_auditlog | Bitbucket Audit Events |
box_admin_logs | Box Audit Events |
confluence_eventlog | Confluence Audit Events |
cradlepoint_activity_log | Cradlepoint Activity Logs |
crowdstrike_audit_log | CrowdStrike Audit Events |
crowdstrike_auth_activity | CrowdStrike Authentication Audit Events |
crowdstrike_cspm_ioa_event | CrowdStrike Falcon Horizon CSPM Assessment Events |
crowdstrike_cspm_search_event | CrowdStrike Falcon Horizon CSPM Audit Events |
crowdstrike_detection_summary | CrowdStrike Detection Events |
crowdstrike_external_api_activity | CrowdStrike 3rd Party App Audit Events |
crowdstrike_identity_protection_event | CrowdStrike Identity Protection Events |
crowdstrike_idp_detection_summary | CrowdStrike Identity Detection Events |
crowdstrike_incident_summary | CrowdStrike Incident Events |
crowdstrike_ioc_event | CrowdStrike Custom IOC Audit Events |
crowdstrike_firewall_match | CrowdStrike Firewall Audit Events |
crowdstrike_mobile_detection_summary | CrowdStrike Mobile Detection Events |
crowdstrike_realtime_response_end | CrowdStrike Real Time Response End Audit Events |
crowdstrike_realtime_response_start | CrowdStrike Real Time Response Start Audit Events |
crowdstrike_recon_summary | CrowdStrike Intelligence Monitoring Events |
crowdstrike_user_activity | CrowdStrike User Activity Audit Events |
crowdstrike_xdr_detection_summary | CrowdStrike XDR Detection Events |
crowdstrike_unknown | CrowdStrike Unidentified Event Types |
custom_eventlog_push | Custom App Events |
custom_rawlog | Custom Raw Events |
databricks_auditlog | Databricks Audit Events |
datadog_auditlog | Datadog Audit Events |
duo_admin | Duo Administrative Activity |
duo_auth | Duo Authentication Activity |
docusign_envelope_audit | DocuSign Audit Events |
docusign_monitor | DocuSign Monitor Alerts |
fastly_auditlog | Fastly Audit Events |
github_audit | GitHub Audit Events |
github_webhook | GitHub Webhook Events |
gitlab_audit_events | GitLab Audit Events |
gsuite_admin_log | Google Workspace Admin Events |
gsuite_alert_center_log | Google Workspace Alert Center Alerts |
gsuite_drive_log | Google Workspace Drive Events |
gsuite_login_log | Google Workspace Login Events |
gsuite_mobile_log | Google Workspace Mobile Events |
gsuite_token_log | Google Workspace Token Events |
hubspot_auditlog | HubSpot Audit Events |
imanage_auditlog | iManage Audit Events |
jamf_auditlog | Jamf Audit Events |
jira_eventlog | Jira Events |
jumpcloud_auditlog | JumpCloud Audit Events |
juniper_system_log | Juniper System Log Messages |
lucid_eventlog | Lucidchart Events |
miro_auditlog | Miro Events |
monday_auditlog | Monday Audit Events |
netsuite_login_log | NetSuite Login Events |
netsuite_perm_change_log | NetSuite Permission Changes Events |
netsuite_role_log | NetSuite Roles Events |
notion_auditlog | Notion Audit Events |
o365_audit_azure_active_directory | Microsoft 365 Azure Active Directory Audit Events |
o365_audit_exchange | Microsoft 365 Exchange Audit Events |
o365_audit_general | Microsoft 365 General Audit Events |
o365_audit_sharepoint | Microsoft 365 Sharepoint Audit Events |
o365_dlp_all | Microsoft 365 DLP Events |
mongodb_atlas | MongoDB Atlas Events |
okta_syslog | Okta System Events |
onelogin_eventlog | OneLogin Events |
openblue_auditlog | OpenBlue Audit Events |
sapsf_sfapi_eventlog | SAP SuccessFactors API Events |
sapsf_odata_api_eventlog | SAP SuccessFactors OData Events |
ping_eventlog | Ping Identity |
sfdc_admin_setup_event_table | Salesforce Admin Setup Events |
sfdc_api_anomaly_event_store | Salesforce API Usage Anomalies Events |
sfdc_api_event_table | Salesforce Read-Only API Events |
sfdc_audit_trail | Salesforce Audit Events |
sfdc_batch_event_log | Salesforce Batch Events |
sfdc_bulk_api_result_event_store | Salesforce Bulk API Events |
sfdc_content_transfer_event_store | Salesforce Content Transfer Events |
sfdc_credential_stuffing_event_store | Salesforce Credential Stuffing Login Events |
sfdc_data_query | Salesforce Data Query Events |
sfdc_field_modification_history | Salesforce Field History Events |
sfdc_fsecure | Salesforce F-Secure Events |
sfdc_identity_verification_event_store | Salesforce User Identity Verification Events |
sfdc_idp_event_store | Salesforce Identity Provider Events |
sfdc_lightning_uri_event_table | Salesforce Lightning Experience User CRUD Events |
sfdc_list_view_event_table | Salesforce List View Events |
sfdc_login_as_event_table | Salesforce Admin Login As User Events |
sfdc_login_event_table | Salesforce User Login Events |
sfdc_logout_event_table | Salesforce User Logout events |
sfdc_oauth_connection | Salesforce OAuth Connection Events |
sfdc_permission_event_store | Salesforce Permission Events |
sfdc_report_anomaly_event_store | Salesforce Report Anomaly Events |
sfdc_report_event_table | Salesforce Report Events |
sfdc_session_hijacking_event_store | Salesforce Session Hijacking Events |
sfdc_uri_event_table | Salesforce User Record CRUD Events |
sfmc_audit_event | Salesforce Marketing Cloud Audit Events |
sfmc_security_event | Salesforce Marketing Cloud Security Events |
slack_auditlog | Slack Audit Events |
smartsheet_auditlog | Smartsheet Audit Events |
sendgrid_auditlog | SendGrid Events |
snow_export_log | ServiceNow Export Events |
snow_mid_command_log | ServiceNow MID Server Command Events |
snow_sysaudit | ServiceNow System Audit Events |
snow_sysaudit_role | ServiceNow System Role Events |
snow_sysevent | ServiceNow System Events |
snow_syslog | ServiceNow Syslog Events |
snowflake_login_history | Snowflake Login Events |
snowflake_query_history | Snowflake Query History Events |
stripe_eventlog | Stripe Events |
tableau_activitylogs | Tableau Activity Events |
veevavault_login_audit_trail | VeevaVault Login Events |
veevavault_system_audit_trail | VeevaVault System Events |
veevavault_document_audit_trail | VeevaVault Document Events |
veevavault_object_audit_trail | VeevaVault Object Record Events |
versa_auditlog | Versa Audit Events |
webex_admin_audit | WebEx Admin Audit Events |
wiz_audit | Wiz Audit Events |
workday_auditlog_user_activity | Workday User Activity Events |
workday_activity_logging | Workday Activity Logging Events |
zendesk_auditlog | Zendesk Audit Events |
zoom_recordings | Zoom Recording Events |
zoom_webhook | Zoom Webhook Events |
appomni.event.enrichments
Required Field: False
Type: ARRAY
Example: ['ipinfo']
Detection Supported Field: True
List of 3rd party sources that contributed enrichment information to an event.
appomni.event.id
Required Field: True
Type: UUID
Example: 312b0a2d-a7a3-4529-bd61-bf3c2e2ba11d
Detection Supported Field: False
Unique AppOmni-assigned ID of the event.
appomni.event.ingestion_time
Required Field: False
Type: DATETIME
Example: 2022-11-17T06:34:18.429Z
Detection Supported Field: False
Timestamp when the event arrived in AppOmni's data store.
appomni.event.parent_id
Required Field: False
Type: UUID
Example: 733e5b47-d79b-40c1-bc8c-b19c22137785
Detection Supported Field: False
Unique ID of the parent event.
appomni.event.sortable_event_id
Required Field: False
Type: ULID
Example: 01GJ3CQYGGJ4GJP2WWBPRH07H8
Detection Supported Field: False
Unique sortable ID of the event assigned when it's collected.
appomni.event.sortable_ingest_id
Required Field: False
Type: ULID
Example: 01GJ3CQYGGJ4GJP2WWBPRH07H8
Detection Supported Field: False
Unique sortable ID of the event assigned when it arrives in AppOmni's data store.
appomni.organization.id
Required Field: True
Type: INTEGER
Example: 1
Detection Supported Field: False
ID of the AppOmni Tenant this event originated from.
appomni.service.account_id
Required Field: False
Type: STRING
Example: wehg385
Detection Supported Field: False
Unique platform-assigned ID of the connected monitored service.
appomni.service.id
Required Field: False
Type: INTEGER
Example: 1
Detection Supported Field: False
Unique AppOmni-assigned ID of the connected monitored service.
appomni.service.name
Required Field: False
Type: STRING
Example: AppOmni QA
Detection Supported Field: False
The tenant owner-assigned name of the connected monitored service.
appomni.service.slug
Required Field: False
Type: STRING
Example: tenant__uniq_svc_name
Detection Supported Field: False
The identifier of the monitored service, either the platform shortname for out-of-the-box (OOTB) services or the unique identifier for custom monitored services.
appomni.service.type
Required Field: False
Type: STRING
Example: ao_qa
Detection Supported Field: False
The platform shortname of the monitored service.
Allowed Values
| Name | Description |
|---|---|
ao_qa | AppOmni QA |
appomni | AppOmni |
asana | Asana |
auth0 | Auth0 |
bitbucket | Bitbucket |
box | Box |
confluence | Confluence |
crowdstrike | CrowdStrike |
custom | Custom |
databricks | Databricks |
docusign | DocuSign |
duo | Duo |
fastly | Fastly |
github | GitHub |
gsuite | Google Workspace |
hubspot | HubSpot |
imanage | iManage |
jamf | Jamf |
jira | Jira |
jumpcloud | JumpCloud |
lucid | Lucidchart |
miro | Miro |
mongo | MongoDB |
monday | Monday |
multiple | Multiple (only used in Alerting) |
netsuite | Netsuite |
notion | Notion |
o365 | Microsoft 365 |
okta | Okta |
onelogin | OneLogin |
ping | Ping Identity |
sapsf | SAP SuccessFactors |
sfdc | Salesforce |
sfmc | Salesforce Marketing Cloud |
slack | Slack |
sendgrid | SendGrid |
smartsheet | Smartsheet |
snow | ServiceNow |
snowflake | Snowflake |
stripe | Stripe |
tableau | Tableau |
veevavault | VeevaVault |
webex | WebEx |
wiz | Wiz |
workday | Workday |
zendesk | Zendesk |
zoom | Zoom |
appomni.source.id
Required Field: False
Type: STRING
Example: 123e4567-e89b-12d3-a456-426614174000
Detection Supported Field: False
Unique AppOmni-assigned ID of the detection event source.
Autonomous System
Top Level Fieldset: False
An autonomous system (AS) is a collection of Internet Protocol prefixes with a unified routing policy. An AS is managed by a single administrative entity, such as a university, government, organization or internet service provider.
Fields from as can only be found at the following locations:
source.asdestination.as
Autonomous System Fields
as.country
Required Field: False
Type: STRING
Example: US
Detection Supported Field: True
ISO 3166 country code.
as.domain
Required Field: False
Type: STRING
Example: salesforce.com
Detection Supported Field: True
Domain name of the AS.
as.number
Required Field: False
Type: INTEGER
Example: 15169
Detection Supported Field: True
Unique number assigned to the autonomous system.
as.organization.name
Required Field: False
Type: STRING
Example: Google LLC
Detection Supported Field: True
Name of the organization.
as.service
Required Field: False
Type: STRING
Example: PureVPN
Detection Supported Field: True
Name of the IP privacy service provider.
as.type
Required Field: False
Type: STRING
Example: ISP
Detection Supported Field: True
AS type.
Authentication
Top Level Fieldset: True
This field set contains information about authentication related to an event.
Authentication Fields
authentication.method
Required Field: False
Type: STRING
Example: password
Detection Supported Field: True
Normalized method of authentication.
Allowed Values
| Name | Description |
|---|---|
access_token | Token-based authentication. Examples: OAuth, JWT |
backup_code | Backup code. |
biometric | Biometric verification. Examples: fingerprint, facial ID |
email | Email verification code or link. |
hardware_authenticator | Hardware authenticator. Examples: Yubikey, hard token |
password | Password. |
passwordless | Passwordless authentication. Example: WebAuthn |
phone_call | Verification code sent via phone call. |
sms | Verification code sent via SMS. |
sso | Single Sign-On (SSO) via a federated identity/ external IdP. Examples: SAML, OpenID Connect, WsFederation |
software_authenticator | Software-based authenticator that generates a time-based or push notification. Examples: Okta Verify, Duo Push |
gesture | Gesture, such as tracing a pre-defined pattern on a touchscreen-enabled device. |
hardware_token | Hardware token, which is typically a dedicated authentication device. |
software_token | Software token, which is typically a credential file stored on a device. |
authentication.provider
Required Field: False
Type: STRING
Example: Okta
Detection Supported Field: True
Authentication provider.
authentication.raw_method
Required Field: False
Type: STRING
Example: Sha1HashedPassword
Detection Supported Field: True
Method of authentication as provided by the monitored service.
base
Top Level Fieldset: True
The base field set contains all fields which are at the root of the events. These fields are common across all types of events.
base Fields
@timestamp
Required Field: True
Type: DATETIME
Example: 2022-11-17T13:02:30.458Z
Detection Supported Field: False
Date/time when the event originated.
labels
Required Field: False
Type: OBJECT
Example: {'some_key': 'some_value'}
Detection Supported Field: False
Custom key/value pairs.
message
Required Field: False
Type: STRING
Example: This is a test ACES event
Detection Supported Field: True
A human-readable summary of the event.
tags
Required Field: False
Type: ARRAY
Example: ['example_tag']
Detection Supported Field: True
List of keywords used to tag each event.
version
Required Field: True
Type: STRING
Example: 2.0
Detection Supported Field: False
Version of ACES.
Configuration
Top Level Fieldset: True
This field set refers to application settings and configurations.
Configuration Fields
configuration.name
Required Field: False
Type: STRING
Example: minimumPasswordLength
Detection Supported Field: True
The name or description of a configuration.
configuration.old_value
Required Field: False
Type: STRING
Example: disabled
Detection Supported Field: True
The previous value or state of a configuration.
configuration.value
Required Field: False
Type: STRING
Example: enabled
Detection Supported Field: True
The current value or state of a configuration.
Destination
Top Level Fieldset: True
Destination fields capture information about the receiver of an event.
Destination Fields
destination.address
Required Field: False
Type: STRING
Example: 8.8.8.8
Detection Supported Field: True
The raw address of the destination according to the source. This value should be duplicated to destination.ip or destination.domain, depending on which one applies.
destination.domain
Required Field: False
Type: STRING
Example: example.com
Detection Supported Field: True
The domain name of the destination. This value can be a host name or FQDN.
destination.indicators
Required Field: False
Type: ARRAY
Example: ['malicious']
Detection Supported Field: True
Threat indicators identified through enrichment, specific to a destination.
destination.ip
Required Field: False
Type: STRING
Example: 8.8.8.8
Detection Supported Field: True
IP address of the destination (IPv4 or IPv6.)
destination.mac
Required Field: False
Type: STRING
Example: 00-00-5E-00-53-23
Detection Supported Field: True
MAC address of the destination.
destination.port
Required Field: False
Type: INTEGER
Example: 53
Detection Supported Field: True
Port of the destination.
Error
Top Level Fieldset: True
The error fields are used when an error occurred while fetching an event or an event contains an error.
Error Fields
error.id
Required Field: False
Type: STRING
Example: 23486
Detection Supported Field: True
Unique ID of the error.
error.message
Required Field: False
Type: STRING
Example: An exception has occurred in program
Detection Supported Field: True
Error message.
error.type
Required Field: False
Type: STRING
Example: Exception
Detection Supported Field: True
The type or class of the error.
Event
Top Level Fieldset: True
The event fields are used for context information about the log itself. A log is defined as an event containing details of something that happened.
Event Fields
event.action
Required Field: False
Type: STRING
Example: login_user
Detection Supported Field: True
The action captured by the event.
Allowed Values
| Name | Description |
|---|---|
accept_invite | Accept an invitation |
accept_message | Accept a message |
accept_session | Accept a session |
accept_tos | Accept Terms of Service |
access_app | Access an application |
access_webhook | Access a webhook |
add_app | Add an application |
add_device | Add a device |
add_domain | Add a domain |
add_key | Add an encryption or x509 private key, or similar (Not used to refer to API keys) |
add_label | Add a label or tag |
add_mfa | Add a new MFA factor for a user such as a phone number, authenticator app, or hardware token |
add_permission | Add a permission |
add_policy | Add a policy |
add_resource | Add a resource |
add_role | Add a role |
add_rule | Add a rule |
add_team | Add a team |
add_user | Add a user |
add_workflow | Add a workflow |
alert_api | Notable API event |
alert_device | Notable device event |
alert_event | Notable event |
alert_mfa | User bypasses, attempts to bypass, or circumvents MFA in some way |
alert_policy | Notable policy event |
alert_resource | Notable resource event |
alert_rule | Notable rule event |
alert_user | Notable user event |
allow_issue | Allow an issue |
approve_access | Approve access to a service or resource |
approve_app | Approve an application |
approve_resource | Approve a resource |
approve_request | Approve a request |
approve_token | Approve a token or API key |
approve_user | Approve a user |
approve_workflow | Approve a workflow |
archive_key | Archive an encryption or x509 private key, or similar (Not used to refer to API keys) |
archive_resource | Archive a resource |
archive_rule | Archive a rule |
archive_user | Archive a user |
assign_issue | Assign an issue |
authenticate_app | Application authentication |
authenticate_user | User authentication |
await_resource | Await resource |
block_session | Block a session |
block_user | Block a user |
canary | Canary event |
cancel_review | Cancel a review |
cancel_sponsorship | Cancel a sponsorship |
cancel_workflow | Cancel a workflow |
change_mfa | Change an MFA factor (Use add_mfa and remove_mfa if separate events are available) |
close_issue | Close an issue |
close_project | Close a project |
close_request | Close or cancel a request |
close_review | Close a review |
complete_task | Complete a task |
complete_workflow | Complete a workflow |
connect_app | Connect an application |
connect_user | Connect a user (Used when a user joins a space.) |
copy_key | Copy an encryption or x509 private key, or similar (Not used to refer to API keys) |
copy_resource | Copy a resource |
create_account | Create an account (Used to refer to a business unit account; For a user account, use create_user) |
create_advisory | Create a security advisory |
create_api | Create or register an API |
create_app | Create or register an application |
create_branch | Create a Git branch |
create_code | Create code, commits, or releases |
create_comment | Create a comment |
create_csr | Create a Certificate Signing Request |
create_deployment | Create a deployment |
create_event | Create an event |
create_exception | Create an exception |
create_fork | Create a fork |
create_group | Create a group |
create_index | Create a table index |
create_issue | Create an issue |
create_key | Create an encryption or x509 private key, or similar (Not used to refer to API keys) |
create_label | Create a label or tag |
create_metadata | Create metadata |
create_mfa | Create an MFA token or code |
create_organization | Create an organization |
create_package | Create a package |
create_password | Create a password or PIN |
create_permission | Create a permission |
create_policy | Create a policy |
create_project | Create a project |
create_request | Create a request |
create_resource | Create a resource |
create_role | Create a role |
create_rule | Create a rule |
create_setting | Create a setting |
create_share | Create a shared resource such as a drive or folder |
create_sponsorship | Create a sponsorship |
create_task | Create a task |
create_team | Create a team |
create_token | Create a token or API key |
create_user | Create a user |
create_webhook | Create a webhook |
create_workflow | Create a workflow |
delete_account | Delete an account (Used to refer to a business unit account; For a user account, use delete_user) |
delete_advisory | Delete a security advisory |
delete_alert | Delete an alert |
delete_app | Delete an application |
delete_branch | Delete a Git branch |
delete_certificate | Delete a certificate |
delete_code | Delete code, commits, or releases |
delete_comment | Delete a comment |
delete_exception | Delete an exception |
delete_group | Delete a group |
delete_index | Delete a table index |
delete_issue | Delete an issue |
delete_key | Delete an encryption or x509 private key, or similar (Not used to refer to API keys) |
delete_label | Delete a label or tag |
delete_metadata | Delete metadata |
delete_organization | Delete an organization |
delete_package | Delete a package |
delete_permission | Delete a permission |
delete_policy | Delete a policy |
delete_project | Delete a project |
delete_request | Delete a request |
delete_resource | Delete a resource |
delete_role | Delete a role |
delete_rule | Delete a rule |
delete_setting | Delete a setting |
delete_task | Delete a task |
delete_team | Delete a team |
delete_token | Delete a token or API key |
delete_user | Delete a user |
delete_webhook | Delete a webhook |
delete_workflow | Delete a workflow |
demote_role | Demote the role of a user or group |
deny_access | Deny access to a service or resource |
deny_invite | Deny or reject an invitation |
deny_request | Deny or reject a request |
disable_account | Disable an account (Used to refer to a business unit account; For a user account, use disable_user) |
disable_app | Disable or deactivate an application |
disable_device | Disable or deactivate a device |
disable_license | Disable or deactivate a license |
disable_mfa | Disable or un-enforce MFA for an entire org |
disable_permission | Disable or un-enforce a permission |
disable_policy | Disable or un-enforce a policy |
disable_resource | Disable a resource |
disable_rule | Disable a rule |
disable_setting | Disable a setting |
disable_user | Disable or deactivate a user |
disable_webhook | Disable or deactivate a webhook |
disable_workflow | Disable a workflow |
disconnect_app | Disconnect an application |
disconnect_user | Disconnect a user (Used when a user leaves a space.) |
dismiss_advisory | Dismiss a security advisory |
download_resource | Download a resource |
download_token | Download or export a token or API key |
elevate_permission | Elevate the permission of a user or group |
elevate_role | Elevate the role of a user or group |
enable_account | Enable an account (Used to refer to a business unit account; For a user account, use enable_user) |
enable_api | Enable an API |
enable_app | Enable or activate an application |
enable_device | Enable or activate a device |
enable_license | Enable or activate a license |
enable_mfa | Enable or enforce MFA for an entire org |
enable_permission | Enable or enforce a permission |
enable_policy | Enable or enforce a policy |
enable_resource | Enable a resource |
enable_rule | Enable a rule |
enable_setting | Enable a setting |
enable_user | Enable or activate a user |
enable_webhook | Enable or activate a webhook |
enable_workflow | Enable a workflow |
end_resource | End, stop or terminate a resource |
end_session | End a session |
end_task | End a task |
enroll_certificate | Enroll or add a certificate |
enroll_mfa | Turn on MFA for a user |
evaluate_policy | Evaluate a policy |
evaluate_token | Evaluate a token or API key |
execute_app | Execute or launch an application |
execute_command | Execute a command |
execute_policy | Execute a policy |
execute_request | Execute a request |
execute_resource | Execute a resource |
execute_rule | Execute a rule |
execute_task | Execute a task (Use start_task and end_task if separate events are available) |
execute_workflow | Execute a workflow |
expire_exception | Expire an exception |
expire_invite | Force an invitation to expire |
expire_mfa | Expire an MFA request |
expire_password | Force a password to expire |
expire_request | Force a request to expire |
expire_session | Force a session to expire |
expire_token | Force a token to expire |
favorite_resource | Favorite or star a resource |
follow_resource | Follow or subscribe to a resource |
get_token | Get a token or API key |
ignore_issue | Ignore an issue |
impersonate_user | Impersonate a user |
import_account | Import an account (Used to refer to a business unit account; For a user account, use import_user) |
import_group | Import a group |
import_resource | Import a resource |
import_user | Import a user |
install_app | Install an application |
invite_user | Invite a user |
issue_certificate | Issue a certificate |
lock_account | Lock an account (Used to refer to a business unit account; For a user account, use lock_user) |
lock_issue | Lock an issue |
lock_resource | Lock a resource |
lock_user | Lock a user |
login_user | User login |
logout_user | User logout |
mitigate_advisory | Mitigate a security advisory |
move_issue | Move an issue |
move_resource | Move a resource |
notify_issue | An issue notification is sent |
notify_mfa | An MFA factor is sent to the user via SMS, email, phone call, etc. (This event action should be used only when a separate event exists that captures the success/failure of the second factor) |
notify_workflow | A workflow notification is sent |
open_issue | Open an issue |
open_project | Open a project |
pin_issue | Pin an issue |
preview_resource | Preview a resource (If no distinction is made between "preview" and "view", use read_resource) |
print_resource | Print resource to a printer |
privatize_resource | Make a resource private |
publicize_resource | Make a resource public |
publish_code | Publish code, commits, or releases |
publish_csr | Publish a Certificate Signing Request |
publish_resource | Publish a resource (Use privatize_resource or publicize_resource if private/public status is known) |
push_commit | Push a code commit to version control |
query_api | Query an API |
query_resource | Query a resource |
read_account | Read an account (Used to refer to a business unit account; For a user account, use read_user) |
read_audit | Read an audit log or file |
read_config | Read a configuration file |
read_device | Read a device |
read_group | Read a group |
read_label | Read a label or tag |
read_metadata | Read resource metadata |
read_password | Read or show a password |
read_permission | Read a permission |
read_policy | Read a policy |
read_resource | Read or open a resource |
read_role | Read a role |
read_rule | Read a rule |
read_schema | Read a schema |
read_setting | Read a setting |
read_share | Read a shared resource such as a drive or folder |
read_task | Read a task |
read_user | Read a user |
reject_tos | Reject Terms of Service |
remove_app | Remove an application |
remove_device | Remove a device |
remove_domain | Remove a domain |
remove_group | Remove a group or multiple users |
remove_label | Remove a label or tag |
remove_license | Remove a license |
remove_mfa | Remove, reset, or suspend MFA factor(s) for a user |
remove_permission | Remove a permission |
remove_policy | Remove a policy |
remove_resource | Remove a resource |
remove_role | Remove a role |
remove_rule | Remove a rule |
remove_team | Remove a team |
remove_user | Remove a user from a group or resource |
request_access | Request access to a service or resource |
request_advisory | Request a security advisory |
request_authorization | Request authorization |
request_review | Request a review |
request_task | Request to execute a task |
request_token | Request a token or API key |
reset_password | Reset a password (Refers to a user requesting a password reset; use update_password if the password is updated) |
restore_resource | Restore or recover a resource |
revoke_access | Revoke access to a service or resource |
revoke_api | Revoke an API |
revoke_app | Revoke an application |
revoke_certificate | Revoke a certificate |
revoke_csr | Revoke a Certificate Signing Request |
revoke_token | Revoke a token or API key |
revoke_user | Revoke a user |
send_healthcheck | Send a healthcheck |
send_heartbeart | Send a heartbeat event |
share_resource | Share a resource |
share_screen | Share or cast screen |
start_resource | Start or launch a resource |
start_session | Start a session |
start_task | Start a task |
submit_review | Submit a review |
suspend_app | Suspend an application |
synchronize_account | Synchronize an account (Used to refer to a business unit account; For a user account, use synchronize_user) |
synchronize_device | Synchronize a device |
synchronize_group | Synchronize a group |
synchronize_resource | Synchronize a resource |
synchronize_task | Synchronize a task |
synchronize_user | Synchronize a user |
transfer_owner | Transfer ownership |
unarchive_resource | Unarchive a resource |
unassign_issue | Unassign an issue |
unblock_user | Unblock a user |
unenroll_mfa | Turn off MFA for a user |
unfavorite_resource | Unfavorite or unstar a resource |
unfollow_resource | Unfollow or unsubscribe to a resource |
uninstall_app | Uninstall an application |
unknown | Event action is unknown |
unlock_account | Unlock an account (Used to refer to a business unit account; For a user account, use unlock_user) |
unpublish_code | Unpublish code, commits, or releases |
unlock_issue | Unlock an issue |
unlock_resource | Unlock a resource |
unlock_token | Unlock or enable a token or API key |
unlock_user | Unlock a user |
unpin_issue | Unpin an issue |
unshare_resource | Unshare a resource |
unsuspend_app | Unsuspend an application |
update_access | Update access to a service or resource |
update_account | Update an account (Used to refer to a business unit account; For a user account, use update_user) |
update_advisory | Update a security advisory |
update_alert | Update an alert |
update_api | Update an API |
update_app | Uodate an application |
update_authentication | Update authentication method or setting |
update_certificate | Update a certificate |
update_code | Update code, commits, or releases |
update_comment | Update a comment |
update_device | Update a device |
update_group | Update a group |
update_index | Update a table index |
update_issue | Update an issue |
update_key | Update an encryption or x509 private key, or similar (Not used to refer to API keys) |
update_label | Update a label or tag |
update_metadata | Update metadata |
update_mailbox | Update a mailbox |
update_organization | Update an organization-wide setting or value |
update_package | Update a package |
update_password | Update a password or PIN |
update_permission | Update a permission |
update_policy | Update a policy |
update_project | Update a project |
update_resource | Update a resource |
update_request | Update a request |
update_review | Update a review |
update_role | Update a role |
update_rule | Update a rule |
update_session | Update a session |
update_setting | Update a setting |
update_share | Update a shared resource such as a drive or folder |
update_sponsorship | Update a sponsorship |
update_status | Update a status |
update_task | Update a task |
update_team | Update a team |
update_token | Update a token or API key |
update_user | Update user information (Use update_password if the event refers to a password) |
update_webhook | Update a webhook |
update_workflow | Update a workflow |
upgrade_app | Upgrade an application |
upload_resource | Upload a resource |
upload_token | Upload a token or API key |
verify_device | Verify or authorize a device |
verify_group | Verify or authorize a group |
verify_mfa | Enter or acknowledge an MFA factor (event.outcome should be utilized to indicate success or failure) |
verify_resource | Verify a resource |
verify_user | Verify or authorize a user |
verify_webhook | Verify or authorize a webhook |
event.category
Required Field: False
Type: ARRAY
Example: ['authentication']
Detection Supported Field: True
Indicates the high-level categorization of an event.
Allowed Values
| Name | Description |
|---|---|
authentication | Represents an event is related to an identity verification process, such as a user providing a password to login. |
configuration | Represents an event is related to the creation, modification, or deletion of an application or system setting. |
file | Represents an event is related to a CRUD operation of a file. |
malware | Represents an event is related to a detection of malware. |
event.code
Required Field: False
Type: STRING
Example: 8080
Detection Supported Field: True
Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time.
event.created
Required Field: False
Type: DATETIME
Example: 2022-11-17T06:30:10.442Z
Detection Supported Field: False
Date/time when the event was reported as created in the monitored service.
event.dataset
Required Field: False
Type: STRING
Example: appomni_qa
Detection Supported Field: True
The dataset of the event as presented by the SaaS platform. This is distinct from AppOmni datasets which reside under appomni.event.dataset.
event.duration
Required Field: False
Type: INTEGER
Example: 60
Detection Supported Field: True
Duration of the event. If event.start and event.end are known this value should be the difference between the end and start time.
event.end
Required Field: False
Type: DATETIME
Example: 2022-11-17T06:30:10.442Z
Detection Supported Field: False
Date/time when the event ended or when the activity was last observed.
event.id
Required Field: False
Type: STRING
Example: f837df
Detection Supported Field: True
Unique ID to describe the event.
event.ingested
Required Field: False
Type: DATETIME
Example: 2022-11-17T06:30:10.442Z
Detection Supported Field: False
Date/time when the event arrived in AppOmni's data store.
event.kind
Required Field: False
Type: STRING
Example: event
Detection Supported Field: False
event.kind gives high-level information about what type of information the event contains, without being specific to the contents of the event.
Allowed Values
| Name | Description |
|---|---|
alert | Represents a notification about one or more related events; typically indicative of suspected malicious activity and generated via a detection rule. |
event | Represents any observable occurrence in a system. |
synthetic | Represents an AppOmni generated observation made during the analysis of a system. |
finding | Represents an AppOmni discovered policy/posture issue or insight. |
event.module
Required Field: False
Type: STRING
Example: core
Detection Supported Field: True
Module of the event. This is usually a specific product or plugin of the monitored service.
event.original
Required Field: False
Type: STRING
Example: {"some_key": "some value"}
Detection Supported Field: False
The raw event in it's original form.
event.outcome
Required Field: False
Type: STRING
Example: success
Detection Supported Field: True
The outcome describes whether an event action succeeded or failed.
Allowed Values
| Name | Description |
|---|---|
success | Indicates the result of the event succeeded. |
failure | Indicates the result of the event failed. |
unknown | Indicates the result of the event is unknown. |
event.provider
Required Field: False
Type: STRING
Example: AppOmni Core
Detection Supported Field: True
Source of the event. This may be the API endpoint or operating system that generated the event.
event.reason
Required Field: False
Type: STRING
Example: Incorrect password
Detection Supported Field: True
Reason this event happened, according to the source.
event.reference
Required Field: False
Type: STRING
Example: https://example.com/event/user_logged_in
Detection Supported Field: False
URL to reference information about this event.
event.risk_score
Required Field: False
Type: FLOAT
Example: 85.63
Detection Supported Field: True
Risk score of the event, as provided by the original source.
event.risk_score_norm
Required Field: False
Type: FLOAT
Example: 85.63
Detection Supported Field: True
Normalized risk score of the event, on a scale of 0 to 100.
event.sequence
Required Field: False
Type: INTEGER
Example: 1
Detection Supported Field: True
Sequence number of the event. Sequence numbering is used to ensure the order of events is known, regardless of the timestamp.
event.severity
Required Field: False
Type: INTEGER
Example: 1
Detection Supported Field: True
The numeric severity of the event according to the source.
event.start
Required Field: False
Type: DATETIME
Example: 2022-11-17T06:30:10.442Z
Detection Supported Field: False
Date/time when the event started or when the activity was first observed.
event.type
Required Field: False
Type: ARRAY
Example: ['access']
Detection Supported Field: True
Indicates the type of event. This is a subcategory of event.category.
Allowed Values
| Name | Description |
|---|---|
access | Represents a resource or item was accessed. |
admin | Represents an admin operation. |
change | Represents a resource or item was changed. |
end | Represents an event has ended. |
info | Represents an event is informational. |
start | Represents an event has started. |
creation | Represents a resource or item was created. |
deletion | Represents a resource or item was deleted. |
event.url
Required Field: False
Type: STRING
Example: https://example.com/alert/1234
Detection Supported Field: False
URL to an external source to continue investigation of this event.
File
Top Level Fieldset: True
This field set is used to define information about a file related to an event. resource.type should always be defined when file fields are used.
File Fields
file.created
Required Field: False
Type: DATETIME
Example: 2022-11-17T06:30:10.442Z
Detection Supported Field: False
Date/time the file was created.
file.directory
Required Field: False
Type: STRING
Example: /home/reports
Detection Supported Field: True
Directory where the file is located. It should include the drive letter if applicable.
file.extension
Required Field: False
Type: STRING
Example: docx
Detection Supported Field: True
File extension, excluding the leading dot.
file.hash
Required Field: False
Type: STRING
Example: 0a50475bcaaf0de19d0b0be78ac36ef6ac8ee6f0cd745c2e625f69523c64e544
Detection Supported Field: True
Hash of the file. Value may be the result of any hashing algorithm.
file.id
Required Field: False
Type: STRING
Example: 32d28dg6
Detection Supported Field: True
Unique ID of the file. This value should be duplicated to resource.id.
file.name
Required Field: False
Type: STRING
Example: sales_report.docx
Detection Supported Field: True
Name of the file. This value should be duplicated to resource.name.
file.path
Required Field: False
Type: STRING
Example: /home/reports/sales_report.docx
Detection Supported Field: True
Full path to the file, including the file name.
file.size
Required Field: False
Type: INTEGER
Example: 256321
Detection Supported Field: True
File size in bytes.
Geo
Top Level Fieldset: False
Geo fields contain information about the location related to an event, which can be derived from the log source or IP enrichment.
Fields from geo can only be found at the following locations:
source.geodestination.geo
Geo Fields
geo.city_name
Required Field: False
Type: STRING
Example: San Francisco
Detection Supported Field: True
Name of the city.
geo.continent_code
Required Field: False
Type: STRING
Example: NA
Detection Supported Field: True
Two-letter code representing continent’s name.
Allowed Values
| Name | Description |
|---|---|
AF | Africa |
AN | Antarctica |
AS | Asia |
EU | Europe |
NA | North America |
OC | Oceania |
SA | South America |
geo.continent_name
Required Field: False
Type: STRING
Example: North America
Detection Supported Field: True
Name of the continent.
Allowed Values
| Name | Description |
|---|---|
Africa | Africa |
Antarctica | Antarctica |
Asia | Asia |
Europe | Europe |
North America | North America |
Oceania | Oceania |
South America | South America |
geo.country_iso_code
Required Field: False
Type: STRING
Example: US
Detection Supported Field: True
ISO code of the country.
geo.country_name
Required Field: False
Type: STRING
Example: United States of America
Detection Supported Field: True
Name of the country.
geo.location
Required Field: False
Type: LAT_LON
Example: {'lon': -73.61483, 'lat': 45.505918}
Detection Supported Field: False
Longitude and latitude.
geo.name
Required Field: False
Type: STRING
Example: sf-office
Detection Supported Field: True
Description of the specific location, such as an office name or floor number.
geo.postal_code
Required Field: False
Type: STRING
Example: 94016
Detection Supported Field: True
Postal code or ZIP code associated with the location. This value will vary depending on the country.
geo.region_iso_code
Required Field: False
Type: STRING
Example: US-CA
Detection Supported Field: True
ISO code of the region or state.
geo.region_name
Required Field: False
Type: STRING
Example: California
Detection Supported Field: True
Name of the region or state.
geo.timezone
Required Field: False
Type: STRING
Example: America/Los_Angeles
Detection Supported Field: True
IANA timezone name of the location.
Group
Top Level Fieldset: False
The group fields capture groups related to the event.
Fields from group can only be found at the following locations:
user.groupuser.target.groupuser.effective.groupuser.changes.group
Group Fields
group.id
Required Field: False
Type: STRING
Example: 502386
Detection Supported Field: True
Unique ID for the group on the system.
group.name
Required Field: False
Type: STRING
Example: Admin Group
Detection Supported Field: True
Name of the group.
Host
Top Level Fieldset: False
The host fields define details about the machine, node, or container on which the event occurred.
Fields from host can only be found at the following locations:
source.hostdestination.host
Host Fields
host.hostname
Required Field: False
Type: STRING
Example: jdoes-mac
Detection Supported Field: True
Hostname of the host.
host.id
Required Field: False
Type: STRING
Example: dfg422
Detection Supported Field: True
Unique ID of the host.
host.mac
Required Field: False
Type: STRING
Example: 32-4B-4D-ED-60-FC
Detection Supported Field: True
MAC address of the host.
host.name
Required Field: False
Type: STRING
Example: jdoes-mac
Detection Supported Field: True
Name of the host. This value can be the hostname, FQDN, or user-defined name.
host.type
Required Field: False
Type: STRING
Example: workstation
Detection Supported Field: True
Type of host.
Identity
Top Level Fieldset: False
This field set contains information about a identity that is related to the event.
Fields from identity can only be found at the following locations:
user.identityuser.target.identityuser.effective.identityuser.changes.identity
Identity Fields
identity.admin
Required Field: False
Type: BOOL
Example: True
Detection Supported Field: True
Indicates whether an identity has administrative privileges.
identity.elevated
Required Field: False
Type: BOOL
Example: True
Detection Supported Field: True
Indicates whether an identity has elevated privileges.
identity.email
Required Field: False
Type: STRING
Example: jdoe@example.com
Detection Supported Field: True
Email address of the identity.
identity.full_name
Required Field: False
Type: STRING
Example: Jane Doe
Detection Supported Field: True
Display name of the identity.
identity.id
Required Field: False
Type: STRING
Example: 2d152ca0-c7e0-4e15-a19b-ff348c287c1a
Detection Supported Field: True
Unique ID of the identity.
Operating System
Top Level Fieldset: False
The OS fields contain information about the operating system related to the event.
Fields from os can only be found at the following locations:
source.host.osdestination.host.osuser_agent.os
Operating System Fields
os.kernel
Required Field: False
Type: STRING
Example: 21.6.0
Detection Supported Field: True
Kernel version of operating system as a raw string.
os.name
Required Field: False
Type: STRING
Example: Mac OS X
Detection Supported Field: True
Name of the operating system, without the version.
os.platform
Required Field: False
Type: STRING
Example: darwin
Detection Supported Field: True
Operating system platform.
os.type
Required Field: False
Type: STRING
Example: macos
Detection Supported Field: True
Name of the operating system family.
Allowed Values
| Name | Description |
|---|---|
android | Android |
chromeos | ChromeOS |
ios | iOS |
linux | Linux |
macos | macOS |
unix | Unix |
windows | Windows |
Policy
Top Level Fieldset: True
This field set contains information about the policy related to an event.
Policy Fields
policy.category
Required Field: False
Type: STRING
Example: posture
Detection Supported Field: True
Indicates the high-level categorization of a policy.
policy.description
Required Field: False
Type: STRING
Example: Multi-factor Sign-On Policy for admin users.
Detection Supported Field: True
Brief explanation of the purpose of the policy.
policy.id
Required Field: False
Type: STRING
Example: 00pd30ftwhug3OBzP5d7
Detection Supported Field: True
Unique ID of the policy.
policy.name
Required Field: False
Type: STRING
Example: Password
Detection Supported Field: True
Name of the policy.
policy.outcome
Required Field: False
Type: STRING
Example: NoAction
Detection Supported Field: True
Outcome of a policy evaluation on an audited action.
Related
Top Level Fieldset: True
This field set indicates related fields which can enable pivoting to associated events.
Related Fields
related.event
Required Field: False
Type: ARRAY
Example: ['733e5b47-d79b-40c1-bc8c-b19c22137785']
Detection Supported Field: True
Event IDs related to an event. Reflecting the AppOmni Event ID from appomni.event.id.
related.hash
Required Field: False
Type: ARRAY
Example: ['']
Detection Supported Field: True
Hashes related to an event. Values may be the result of any hashing algorithm.
related.host
Required Field: False
Type: ARRAY
Example: ['ao-desktop1']
Detection Supported Field: True
Hosts related to an event. Values may be the hostname, FQDN, or user-defined name.
related.identity
Required Field: False
Type: ARRAY
Example: ['2d152ca0-c7e0-4e15-a19b-ff348c287c1a']
Detection Supported Field: True
Identity IDs related to an event.
related.ip
Required Field: False
Type: ARRAY
Example: ['8.8.8.8']
Detection Supported Field: True
IP addresses related to an event (IPv4 or IPv6.)
related.resource
Required Field: False
Type: ARRAY
Example: ['32d28dg6']
Detection Supported Field: True
Resources related to an event.
related.services.id
Required Field: False
Type: ARRAY
Example: [1]
Detection Supported Field: True
AppOmni Service IDs related to an event.
related.services.name
Required Field: False
Type: ARRAY
Example: ['AppOmni QA US1']
Detection Supported Field: True
AppOmni Service Names related to an event.
related.services.type
Required Field: False
Type: ARRAY
Example: ['ao_qa']
Detection Supported Field: True
AppOmni Service Types related to an event.
related.user
Required Field: False
Type: ARRAY
Example: ['ABCDEFG']
Detection Supported Field: True
Users related to an event.
Resource
Top Level Fieldset: True
This field set captures information about a resource related to an event.
Fields from resource can also be found at the following locations:
resource.parent
Resource Fields
resource.count
Required Field: False
Type: INTEGER
Example: 100
Detection Supported Field: True
Number of items in the resource.
resource.id
Required Field: False
Type: STRING
Example: 32d28dg6
Detection Supported Field: True
Unique ID of the resource.
resource.name
Required Field: False
Type: STRING
Example: sales_report
Detection Supported Field: True
Name of the resource.
resource.type
Required Field: False
Type: STRING
Example: record
Detection Supported Field: True
Indicates the type of resource. The most descriptive type should be used to define a resource. For example, a file containing a report should have the resource.type of report rather than file.
Allowed Values
| Name | Description |
|---|---|
application | Application. Use application.* fields to capture application details. |
code | Resource that contains code. |
comment | Comment or generic message. Use email for email messages. |
credential | Identifier for a credential or secret. |
datastore | Database, data warehouse, or other data storage resource. |
destination | Receiver of an event, message, or any other output. Use destination.* fields to capture destination details. |
device | Device referenced in event. Use host.* fields to capture device details if applicable. |
email | Email. |
file | File. Use file.* fields to capture file details. |
folder | Folder or directory. |
group | Group of related users. |
issue | Bugs, security findings, or any other problem. |
list | Group of related items. |
organization | Company or other set of related users, groups, and resources. |
page | Web page or a page within a file. |
policy | Policy. Use policy.* fields to capture policy details. |
project | Group of related user stories or other work tracking. |
record | Row in a table or log. |
report | The output of a query or search. |
repository | Code or document repository. |
role | Group of related permissions associated with a user. |
rule | Detection rule. Use rule.* fields to capture rule details. |
shortcut | Shortcut or link to resource. |
space | Physical or virtual space, such as a meeting. Use space.* fields to capture space details. |
table | Usually refers to a database table. For a collection of related items, use list. |
tag | Metadata or label of a resource. |
task | Machine task, such as a cron job or continuous integration check. |
unknown | Resource type is unknown. |
user | Target user. Use user.target.* fields to capture user details. |
Rule
Top Level Fieldset: True
This field set is used to capture information about detection rules.
Rule Fields
rule.author
Required Field: False
Type: STRING
Example: AppOmni
Detection Supported Field: True
Name, organization, or author(s) who created the rule.
rule.category
Required Field: False
Type: STRING
Example: Authentication
Detection Supported Field: True
Indicates the high-level categorization of the rule.
rule.description
Required Field: False
Type: STRING
Example: Multiple admin users have been deleted or suspended in a short period of time. An adversary might use this technique to disrupt business operations and maintain their access for a longer period.
Detection Supported Field: False
Brief explanation of what event(s) occurred and the intent/goal of the threat actor.
rule.license
Required Field: False
Type: STRING
Example: Apache 2.0
Detection Supported Field: False
Name of the license in which the rule is made available.
rule.name
Required Field: False
Type: STRING
Example: Multiple Admin Users Deleted
Detection Supported Field: True
Name of the rule.
rule.reference
Required Field: False
Type: STRING
Example: https://example.com/rule/123
Detection Supported Field: True
URL to reference information about the rule.
rule.ruleset
Required Field: False
Type: STRING
Example: Default Ruleset
Detection Supported Field: True
Name of the ruleset for which the rule is assigned.
rule.uuid
Required Field: False
Type: UUID
Example: ada8ee63-42b4-4f87-bc2c-22ce7e34f55d
Detection Supported Field: True
Unique UUID of the rule.
rule.vendor_id
Required Field: False
Type: STRING
Example: VendorX-123
Detection Supported Field: True
Unique ID of a vendor rule external to AppOmni.
rule.version
Required Field: False
Type: STRING
Example: 1
Detection Supported Field: False
Version of the rule.
Service
Top Level Fieldset: True
Describes the service in which the event was collected from.
Service Fields
service.id
Required Field: False
Type: STRING
Example: wehg385
Detection Supported Field: True
ID of service as provided by the service provider.
service.name
Required Field: False
Type: STRING
Example: AppOmni QA
Detection Supported Field: True
Name of the service as provided by the service provider.
Session
Top Level Fieldset: True
This field set contains information about the user's session when an event occurred.
Session Fields
session.id
Required Field: False
Type: STRING
Example: bhM5rBAHTu1RggVh
Detection Supported Field: True
Unique ID of the session.
session.kind
Required Field: False
Type: STRING
Example: HIGH_ASSURANCE
Detection Supported Field: True
Description of the privilege level associated with a session, or how a session was established.
Source
Top Level Fieldset: True
Source fields capture information about the sender of an event.
Source Fields
source.address
Required Field: False
Type: STRING
Example: 8.8.8.8
Detection Supported Field: True
The raw address of the source. This value should be duplicated to source.ip or source.domain, depending on which one applies.
source.domain
Required Field: False
Type: STRING
Example: example.com
Detection Supported Field: True
The domain name of the source. This value can be a host name or FQDN.
source.indicators
Required Field: False
Type: ARRAY
Example: ['malicious']
Detection Supported Field: True
Threat indicators identified through enrichment, specific to a source.
source.ip
Required Field: False
Type: STRING
Example: 8.8.8.8
Detection Supported Field: True
IP address of the source (IPv4 or IPv6.)
source.mac
Required Field: False
Type: STRING
Example: 00-00-5E-00-53-23
Detection Supported Field: True
MAC address of the source.
source.port
Required Field: False
Type: INTEGER
Example: 53
Detection Supported Field: True
Port of the source.
Space
Top Level Fieldset: True
This field set contains information about the physical or virtual space related to an event.
Space Fields
space.category
Required Field: False
Type: STRING
Example: meeting
Detection Supported Field: True
Indicates the high-level categorization of the space.
Allowed Values
| Name | Description |
|---|---|
channel | Channel |
meeting | Meeting |
workspace | Workspace |
space.id
Required Field: False
Type: STRING
Example: 7B3166F2
Detection Supported Field: True
Unique ID of the space.
space.name
Required Field: False
Type: STRING
Example: annual board meeting
Detection Supported Field: True
Name or title of the space.
Threat
Top Level Fieldset: False
This field set defines the framework in which rules are classified.
Fields from threat can only be found at the following locations:
rule.threat
Threat Fields
threat.framework
Required Field: False
Type: STRING
Example: MITRE ATT&CK
Detection Supported Field: False
Name of the threat framework used to classify the tactic and technique of a threat.
threat.tactic.id
Required Field: False
Type: ARRAY
Example: ['TA0002']
Detection Supported Field: False
ID of the tactic.
threat.tactic.name
Required Field: False
Type: ARRAY
Example: ['Execution']
Detection Supported Field: False
Name of the tactic.
threat.tactic.reference
Required Field: False
Type: ARRAY
Example: ['https://attack.mitre.org/tactics/TA0002/']
Detection Supported Field: False
URL to reference information about the tactic.
threat.technique.id
Required Field: False
Type: ARRAY
Example: ['T1059']
Detection Supported Field: False
ID of the technique.
threat.technique.name
Required Field: False
Type: ARRAY
Example: ['Command and Scripting Interpreter']
Detection Supported Field: False
Name of the technique.
threat.technique.reference
Required Field: False
Type: ARRAY
Example: ['https://attack.mitre.org/techniques/T1059/']
Detection Supported Field: False
URL to reference information about the technique.
UEBA
Top Level Fieldset: False
This field set contains information about User and Entity Behavior Analytics (UEBA) behavior of an event.
Fields from ueba can only be found at the following locations:
event.ueba
UEBA Fields
ueba.anomalous_fields
Required Field: False
Type: OBJECT
Example: {'source.as.number': 13541, 'source.ip': '147.34.2.14'}
Detection Supported Field: True
Details of the anomalous fields of the event.
ueba.normal_state
Required Field: False
Type: OBJECT
Example: {'source.as.number': [], 'source.ip': []}
Detection Supported Field: True
Normal state values of the anomalous fields.
ueba.rare_state
Required Field: False
Type: OBJECT
Example: {'source.as.number': [], 'source.ip': []}
Detection Supported Field: True
Rare state values of the anomalous fields.
User
Top Level Fieldset: True
This field set contains information about a user that is related to the event.
Fields from user can also be found at the following locations:
source.userdestination.useruser.targetuser.effectiveuser.changesresource.ownerresource.parent.owner
User Fields
user.domain
Required Field: False
Type: STRING
Example: example.com
Detection Supported Field: True
Domain of the user. This is usually the domain of the user's email address.
user.email
Required Field: False
Type: STRING
Example: jdoe@example.com
Detection Supported Field: True
Email address of the user.
user.full_name
Required Field: False
Type: STRING
Example: Jane Doe
Detection Supported Field: True
Full name of the user.
user.hash
Required Field: False
Type: STRING
Example: ``
Detection Supported Field: True
Hash of the user.
user.id
Required Field: False
Type: STRING
Example: ABCDEFG
Detection Supported Field: True
Unique ID of the user.
user.indicators
Required Field: False
Type: ARRAY
Example: ['malicious']
Detection Supported Field: True
Threat indicators identified through enrichment, specific to a user.
user.name
Required Field: False
Type: STRING
Example: jdoe
Detection Supported Field: True
Short name or login name of the user.
user.roles
Required Field: False
Type: ARRAY
Example: ['admin', 'case_user']
Detection Supported Field: True
The roles of the user at the time of the event.
User agent
Top Level Fieldset: True
This field set defines the user agent string from a browser request.
User agent Fields
user_agent.name
Required Field: False
Type: STRING
Example: Chrome
Detection Supported Field: True
Name of the user agent.
user_agent.original
Required Field: False
Type: STRING
Example: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Detection Supported Field: True
Original, unparsed user agent string.
user_agent.version
Required Field: False
Type: STRING
Example: 51.0
Detection Supported Field: True
Version of the user agent.
ACES Example Event
This example event is a representative example of the FULL event schema. It is not intended or expected that this example serve as a "proper" event.
{
"source": {
"user": {
"id": "ABCDEFG",
"name": "jdoe",
"full_name": "Jane Doe",
"email": "jdoe@example.com",
"hash": "",
"domain": "example.com",
"roles": [
"admin",
"case_user"
],
"indicators": [
"malicious"
]
},
"host": {
"name": "jdoes-mac",
"id": "dfg422",
"hostname": "jdoes-mac",
"mac": "32-4B-4D-ED-60-FC",
"type": "workstation",
"os": {
"name": "Mac OS X",
"kernel": "21.6.0",
"platform": "darwin",
"type": "macos"
}
},
"geo": {
"location": {
"lon": -73.61483,
"lat": 45.505918
},
"continent_code": "NA",
"continent_name": "North America",
"country_name": "United States of America",
"region_name": "California",
"city_name": "San Francisco",
"country_iso_code": "US",
"postal_code": "94016",
"region_iso_code": "US-CA",
"timezone": "America/Los_Angeles",
"name": "sf-office"
},
"address": "8.8.8.8",
"ip": "8.8.8.8",
"port": 53,
"mac": "00-00-5E-00-53-23",
"domain": "example.com",
"indicators": [
"malicious"
],
"as": {
"country": "US",
"domain": "salesforce.com",
"number": 15169,
"organization": {
"name": "Google LLC"
},
"type": "ISP",
"service": "PureVPN"
}
},
"destination": {
"user": {
"id": "ABCDEFG",
"name": "jdoe",
"full_name": "Jane Doe",
"email": "jdoe@example.com",
"hash": "",
"domain": "example.com",
"roles": [
"admin",
"case_user"
],
"indicators": [
"malicious"
]
},
"host": {
"name": "jdoes-mac",
"id": "dfg422",
"hostname": "jdoes-mac",
"mac": "32-4B-4D-ED-60-FC",
"type": "workstation",
"os": {
"name": "Mac OS X",
"kernel": "21.6.0",
"platform": "darwin",
"type": "macos"
}
},
"address": "8.8.8.8",
"ip": "8.8.8.8",
"port": 53,
"mac": "00-00-5E-00-53-23",
"domain": "example.com",
"indicators": [
"malicious"
],
"geo": {
"location": {
"lon": -73.61483,
"lat": 45.505918
},
"continent_code": "NA",
"continent_name": "North America",
"country_name": "United States of America",
"region_name": "California",
"city_name": "San Francisco",
"country_iso_code": "US",
"postal_code": "94016",
"region_iso_code": "US-CA",
"timezone": "America/Los_Angeles",
"name": "sf-office"
},
"as": {
"country": "US",
"domain": "salesforce.com",
"number": 15169,
"organization": {
"name": "Google LLC"
},
"type": "ISP",
"service": "PureVPN"
}
},
"user": {
"target": {
"id": "ABCDEFG",
"name": "jdoe",
"full_name": "Jane Doe",
"email": "jdoe@example.com",
"hash": "",
"domain": "example.com",
"roles": [
"admin",
"case_user"
],
"indicators": [
"malicious"
],
"group": {
"id": "502386",
"name": "Admin Group"
},
"identity": {
"id": "2d152ca0-c7e0-4e15-a19b-ff348c287c1a",
"full_name": "Jane Doe",
"email": "jdoe@example.com",
"elevated": true,
"admin": true
}
},
"effective": {
"id": "ABCDEFG",
"name": "jdoe",
"full_name": "Jane Doe",
"email": "jdoe@example.com",
"hash": "",
"domain": "example.com",
"roles": [
"admin",
"case_user"
],
"indicators": [
"malicious"
],
"group": {
"id": "502386",
"name": "Admin Group"
},
"identity": {
"id": "2d152ca0-c7e0-4e15-a19b-ff348c287c1a",
"full_name": "Jane Doe",
"email": "jdoe@example.com",
"elevated": true,
"admin": true
}
},
"changes": {
"id": "ABCDEFG",
"name": "jdoe",
"full_name": "Jane Doe",
"email": "jdoe@example.com",
"hash": "",
"domain": "example.com",
"roles": [
"admin",
"case_user"
],
"indicators": [
"malicious"
],
"group": {
"id": "502386",
"name": "Admin Group"
},
"identity": {
"id": "2d152ca0-c7e0-4e15-a19b-ff348c287c1a",
"full_name": "Jane Doe",
"email": "jdoe@example.com",
"elevated": true,
"admin": true
}
},
"id": "ABCDEFG",
"name": "jdoe",
"full_name": "Jane Doe",
"email": "jdoe@example.com",
"hash": "",
"domain": "example.com",
"roles": [
"admin",
"case_user"
],
"indicators": [
"malicious"
],
"group": {
"id": "502386",
"name": "Admin Group"
},
"identity": {
"id": "2d152ca0-c7e0-4e15-a19b-ff348c287c1a",
"full_name": "Jane Doe",
"email": "jdoe@example.com",
"elevated": true,
"admin": true
}
},
"resource": {
"owner": {
"id": "ABCDEFG",
"name": "jdoe",
"full_name": "Jane Doe",
"email": "jdoe@example.com",
"hash": "",
"domain": "example.com",
"roles": [
"admin",
"case_user"
],
"indicators": [
"malicious"
]
},
"parent": {
"id": "32d28dg6",
"name": "sales_report",
"type": "record",
"count": 100
},
"id": "32d28dg6",
"name": "sales_report",
"type": "record",
"count": 100
},
"event": {
"ueba": {
"anomalous_fields": {
"source.as.number": 13541,
"source.ip": "147.34.2.14"
},
"normal_state": {
"source.as.number": [],
"source.ip": []
},
"rare_state": {
"source.as.number": [],
"source.ip": []
}
},
"id": "f837df",
"code": "8080",
"kind": "event",
"category": [
"authentication"
],
"action": "login_user",
"outcome": "success",
"type": [
"access"
],
"module": "core",
"dataset": "appomni_qa",
"provider": "AppOmni Core",
"severity": 1,
"original": "{\"some_key\": \"some value\"}",
"duration": 60,
"sequence": 1,
"created": "2022-11-17T06:30:10.442Z",
"start": "2022-11-17T06:30:10.442Z",
"end": "2022-11-17T06:30:10.442Z",
"risk_score": 85.63,
"risk_score_norm": 85.63,
"ingested": "2022-11-17T06:30:10.442Z",
"reference": "https://example.com/event/user_logged_in",
"url": "https://example.com/alert/1234",
"reason": "Incorrect password"
},
"appomni": {
"alert": {
"channel": "prod"
},
"service": {
"type": "ao_qa",
"id": 1,
"account_id": "wehg385",
"name": "AppOmni QA",
"slug": "tenant__uniq_svc_name"
},
"source": {
"id": "123e4567-e89b-12d3-a456-426614174000"
},
"event": {
"id": "312b0a2d-a7a3-4529-bd61-bf3c2e2ba11d",
"dataset": "appomni_qa",
"sortable_ingest_id": "01GJ3CQYGGJ4GJP2WWBPRH07H8",
"sortable_event_id": "01GJ3CQYGGJ4GJP2WWBPRH07H8",
"parent_id": "733e5b47-d79b-40c1-bc8c-b19c22137785",
"ingestion_time": "2022-11-17T06:34:18.429Z",
"collected_time": "2022-11-17T06:33:55.589Z",
"enrichments": [
"ipinfo"
]
},
"organization": {
"id": 1
}
},
"rule": {
"uuid": "ada8ee63-42b4-4f87-bc2c-22ce7e34f55d",
"version": "1",
"name": "Multiple Admin Users Deleted",
"vendor_id": "VendorX-123",
"description": "Multiple admin users have been deleted or suspended in a short period of time. An adversary might use this technique to disrupt business operations and maintain their access for a longer period.",
"category": "Authentication",
"ruleset": "Default Ruleset",
"reference": "https://example.com/rule/123",
"author": "AppOmni",
"license": "Apache 2.0",
"threat": {
"framework": "MITRE ATT&CK",
"tactic": {
"id": [
"TA0002"
],
"name": [
"Execution"
],
"reference": [
"https://attack.mitre.org/tactics/TA0002/"
]
},
"technique": {
"id": [
"T1059"
],
"name": [
"Command and Scripting Interpreter"
],
"reference": [
"https://attack.mitre.org/techniques/T1059/"
]
}
}
},
"session": {
"kind": "HIGH_ASSURANCE",
"id": "bhM5rBAHTu1RggVh"
},
"authentication": {
"raw_method": "Sha1HashedPassword",
"method": "password",
"provider": "Okta"
},
"user_agent": {
"name": "Chrome",
"original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36",
"version": "51.0",
"os": {
"name": "Mac OS X",
"kernel": "21.6.0",
"platform": "darwin",
"type": "macos"
}
},
"service": {
"name": "AppOmni QA",
"id": "wehg385"
},
"configuration": {
"name": "minimumPasswordLength",
"value": "enabled",
"old_value": "disabled"
},
"space": {
"name": "annual board meeting",
"id": "7B3166F2",
"category": "meeting"
},
"@timestamp": "2022-11-17T13:02:30.458Z",
"tags": [
"example_tag"
],
"labels": {
"some_key": "some_value"
},
"message": "This is a test ACES event",
"version": "2.0",
"error": {
"message": "An exception has occurred in program",
"id": "23486",
"type": "Exception"
},
"related": {
"ip": [
"8.8.8.8"
],
"user": [
"ABCDEFG"
],
"hash": [
""
],
"host": [
"ao-desktop1"
],
"resource": [
"32d28dg6"
],
"event": [
"733e5b47-d79b-40c1-bc8c-b19c22137785"
],
"identity": [
"2d152ca0-c7e0-4e15-a19b-ff348c287c1a"
],
"services": {
"id": [
1
],
"name": [
"AppOmni QA US1"
],
"type": [
"ao_qa"
]
}
},
"application": {
"name": "User Activity API",
"id": "5A4232E1",
"domain": "example.com",
"path": "/users/active?pageSize=100",
"version": "2.01",
"scopes": [
"create users",
"edit users"
]
},
"policy": {
"name": "Password",
"id": "00pd30ftwhug3OBzP5d7",
"category": "posture",
"description": "Multi-factor Sign-On Policy for admin users.",
"outcome": "NoAction"
},
"file": {
"id": "32d28dg6",
"name": "sales_report.docx",
"directory": "/home/reports",
"path": "/home/reports/sales_report.docx",
"extension": "docx",
"size": 256321,
"hash": "0a50475bcaaf0de19d0b0be78ac36ef6ac8ee6f0cd745c2e625f69523c64e544",
"created": "2022-11-17T06:30:10.442Z"
}
}
ACES JSON Schema
{
"type": "object",
"properties": {
"@timestamp": {
"description": "Date/time when the event originated.",
"type": "string"
},
"tags": {
"description": "List of keywords used to tag each event.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"labels": {
"description": "Custom key/value pairs.",
"type": "object"
},
"message": {
"description": "A human-readable summary of the event.",
"type": "string"
},
"version": {
"description": "Version of ACES.",
"type": "string"
},
"application": {
"type": "object",
"properties": {
"name": {
"description": "The name or description of the application.",
"type": "string"
},
"id": {
"description": "Unique ID of the application.",
"type": "string"
},
"domain": {
"description": "The domain name of the application.",
"type": "string"
},
"path": {
"description": "The URI of the application or API endpoint, which can include parameters.",
"type": "string"
},
"version": {
"description": "The version of the application.",
"type": "string"
},
"scopes": {
"description": "The scopes required by the application.",
"type": "array",
"items": {
"type": [
"string"
]
}
}
},
"required": [],
"additionalProperties": false
},
"appomni": {
"type": "object",
"properties": {
"alert": {
"type": "object",
"properties": {
"channel": {
"description": "The channel of a rule is determined by the stage of the rule lifecycle.",
"type": "string",
"enum": [
"prod",
"beta",
"testing",
"ao_only_prod",
"ao_only_beta",
"ao_only_testing"
]
}
},
"required": [],
"additionalProperties": false
},
"service": {
"type": "object",
"properties": {
"type": {
"description": "The platform shortname of the monitored service.",
"type": "string",
"enum": [
"ao_qa",
"appomni",
"asana",
"auth0",
"bitbucket",
"box",
"confluence",
"crowdstrike",
"custom",
"databricks",
"docusign",
"duo",
"fastly",
"github",
"gsuite",
"hubspot",
"imanage",
"jamf",
"jira",
"jumpcloud",
"lucid",
"miro",
"mongo",
"monday",
"multiple",
"netsuite",
"notion",
"o365",
"okta",
"onelogin",
"ping",
"sapsf",
"sfdc",
"sfmc",
"slack",
"sendgrid",
"smartsheet",
"snow",
"snowflake",
"stripe",
"tableau",
"veevavault",
"webex",
"wiz",
"workday",
"zendesk",
"zoom"
]
},
"id": {
"description": "Unique AppOmni-assigned ID of the connected monitored service.",
"type": "integer"
},
"account_id": {
"description": "Unique platform-assigned ID of the connected monitored service.",
"type": "string"
},
"name": {
"description": "The tenant owner-assigned name of the connected monitored service.",
"type": "string"
},
"slug": {
"description": "The identifier of the monitored service, either the platform shortname for out-of-the-box (OOTB) services or the unique identifier for custom monitored services.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"source": {
"type": "object",
"properties": {
"id": {
"description": "Unique AppOmni-assigned ID of the detection event source.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"event": {
"type": "object",
"properties": {
"id": {
"description": "Unique AppOmni-assigned ID of the event.",
"type": "string"
},
"dataset": {
"description": "The dataset of the event. A dataset is generally a collection of similar events.",
"type": "string",
"enum": [
"onepassword_auditlog",
"ao_auditlogs",
"ao_canary",
"appomni_alert",
"appomni_event",
"appomni_qa",
"arista_auditlog",
"asana_eventlog",
"auth0_auditlog",
"bitbucket_auditlog",
"box_admin_logs",
"confluence_eventlog",
"cradlepoint_activity_log",
"crowdstrike_audit_log",
"crowdstrike_auth_activity",
"crowdstrike_cspm_ioa_event",
"crowdstrike_cspm_search_event",
"crowdstrike_detection_summary",
"crowdstrike_external_api_activity",
"crowdstrike_identity_protection_event",
"crowdstrike_idp_detection_summary",
"crowdstrike_incident_summary",
"crowdstrike_ioc_event",
"crowdstrike_firewall_match",
"crowdstrike_mobile_detection_summary",
"crowdstrike_realtime_response_end",
"crowdstrike_realtime_response_start",
"crowdstrike_recon_summary",
"crowdstrike_user_activity",
"crowdstrike_xdr_detection_summary",
"crowdstrike_unknown",
"custom_eventlog_push",
"custom_rawlog",
"databricks_auditlog",
"datadog_auditlog",
"duo_admin",
"duo_auth",
"docusign_envelope_audit",
"docusign_monitor",
"fastly_auditlog",
"github_audit",
"github_webhook",
"gitlab_audit_events",
"gsuite_admin_log",
"gsuite_alert_center_log",
"gsuite_drive_log",
"gsuite_login_log",
"gsuite_mobile_log",
"gsuite_token_log",
"hubspot_auditlog",
"imanage_auditlog",
"jamf_auditlog",
"jira_eventlog",
"jumpcloud_auditlog",
"juniper_system_log",
"lucid_eventlog",
"miro_auditlog",
"monday_auditlog",
"netsuite_login_log",
"netsuite_perm_change_log",
"netsuite_role_log",
"notion_auditlog",
"o365_audit_azure_active_directory",
"o365_audit_exchange",
"o365_audit_general",
"o365_audit_sharepoint",
"o365_dlp_all",
"mongodb_atlas",
"okta_syslog",
"onelogin_eventlog",
"openblue_auditlog",
"sapsf_sfapi_eventlog",
"sapsf_odata_api_eventlog",
"ping_eventlog",
"sfdc_admin_setup_event_table",
"sfdc_api_anomaly_event_store",
"sfdc_api_event_table",
"sfdc_audit_trail",
"sfdc_batch_event_log",
"sfdc_bulk_api_result_event_store",
"sfdc_content_transfer_event_store",
"sfdc_credential_stuffing_event_store",
"sfdc_data_query",
"sfdc_field_modification_history",
"sfdc_fsecure",
"sfdc_identity_verification_event_store",
"sfdc_idp_event_store",
"sfdc_lightning_uri_event_table",
"sfdc_list_view_event_table",
"sfdc_login_as_event_table",
"sfdc_login_event_table",
"sfdc_logout_event_table",
"sfdc_oauth_connection",
"sfdc_permission_event_store",
"sfdc_report_anomaly_event_store",
"sfdc_report_event_table",
"sfdc_session_hijacking_event_store",
"sfdc_uri_event_table",
"sfmc_audit_event",
"sfmc_security_event",
"slack_auditlog",
"smartsheet_auditlog",
"sendgrid_auditlog",
"snow_export_log",
"snow_mid_command_log",
"snow_sysaudit",
"snow_sysaudit_role",
"snow_sysevent",
"snow_syslog",
"snowflake_login_history",
"snowflake_query_history",
"stripe_eventlog",
"tableau_activitylogs",
"veevavault_login_audit_trail",
"veevavault_system_audit_trail",
"veevavault_document_audit_trail",
"veevavault_object_audit_trail",
"versa_auditlog",
"webex_admin_audit",
"wiz_audit",
"workday_auditlog_user_activity",
"workday_activity_logging",
"zendesk_auditlog",
"zoom_recordings",
"zoom_webhook"
]
},
"sortable_ingest_id": {
"description": "Unique sortable ID of the event assigned when it arrives in AppOmni's data store.",
"type": "string"
},
"sortable_event_id": {
"description": "Unique sortable ID of the event assigned when it's collected.",
"type": "string"
},
"parent_id": {
"description": "Unique ID of the parent event.",
"type": "string"
},
"ingestion_time": {
"description": "Timestamp when the event arrived in AppOmni's data store.",
"type": "string"
},
"collected_time": {
"description": "Timestamp when the event was collected by AppOmni.",
"type": "string"
},
"enrichments": {
"description": "List of 3rd party sources that contributed enrichment information to an event.",
"type": "array",
"items": {
"type": [
"string"
]
}
}
},
"required": [
"id",
"dataset"
],
"additionalProperties": false
},
"organization": {
"type": "object",
"properties": {
"id": {
"description": "ID of the AppOmni Tenant this event originated from.",
"type": "integer"
}
},
"required": [
"id"
],
"additionalProperties": false
}
},
"required": [
"event",
"organization"
],
"additionalProperties": false
},
"authentication": {
"type": "object",
"properties": {
"raw_method": {
"description": "Method of authentication as provided by the monitored service.",
"type": "string"
},
"method": {
"description": "Normalized method of authentication.",
"type": "string",
"enum": [
"access_token",
"backup_code",
"biometric",
"email",
"hardware_authenticator",
"password",
"passwordless",
"phone_call",
"sms",
"sso",
"software_authenticator",
"gesture",
"hardware_token",
"software_token"
]
},
"provider": {
"description": "Authentication provider.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"configuration": {
"type": "object",
"properties": {
"name": {
"description": "The name or description of a configuration.",
"type": "string"
},
"value": {
"description": "The current value or state of a configuration.",
"type": "string"
},
"old_value": {
"description": "The previous value or state of a configuration.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"destination": {
"type": "object",
"properties": {
"address": {
"description": "The raw address of the destination according to the source. This value should be duplicated to `destination.ip` or `destination.domain`, depending on which one applies.",
"type": "string"
},
"ip": {
"description": "IP address of the destination (IPv4 or IPv6.)",
"type": "string"
},
"port": {
"description": "Port of the destination.",
"type": "integer"
},
"mac": {
"description": "MAC address of the destination.",
"type": "string"
},
"domain": {
"description": "The domain name of the destination. This value can be a host name or FQDN.",
"type": "string"
},
"indicators": {
"description": "Threat indicators identified through enrichment, specific to a destination.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"as": {
"type": "object",
"properties": {
"country": {
"description": "ISO 3166 country code.",
"type": "string"
},
"domain": {
"description": "Domain name of the AS.",
"type": "string"
},
"number": {
"description": "Unique number assigned to the autonomous system.",
"type": "integer"
},
"type": {
"description": "AS type.",
"type": "string"
},
"service": {
"description": "Name of the IP privacy service provider.",
"type": "string"
},
"organization": {
"type": "object",
"properties": {
"name": {
"description": "Name of the organization.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
},
"geo": {
"type": "object",
"properties": {
"location": {
"description": "Longitude and latitude.",
"type": "object"
},
"continent_code": {
"description": "Two-letter code representing continent\u2019s name.",
"type": "string",
"enum": [
"AF",
"AN",
"AS",
"EU",
"NA",
"OC",
"SA"
]
},
"continent_name": {
"description": "Name of the continent.",
"type": "string",
"enum": [
"Africa",
"Antarctica",
"Asia",
"Europe",
"North America",
"Oceania",
"South America"
]
},
"country_name": {
"description": "Name of the country.",
"type": "string"
},
"region_name": {
"description": "Name of the region or state.",
"type": "string"
},
"city_name": {
"description": "Name of the city.",
"type": "string"
},
"country_iso_code": {
"description": "ISO code of the country.",
"type": "string"
},
"postal_code": {
"description": "Postal code or ZIP code associated with the location. This value will vary depending on the country.",
"type": "string"
},
"region_iso_code": {
"description": "ISO code of the region or state.",
"type": "string"
},
"timezone": {
"description": "IANA timezone name of the location.",
"type": "string"
},
"name": {
"description": "Description of the specific location, such as an office name or floor number.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"host": {
"type": "object",
"properties": {
"name": {
"description": "Name of the host. This value can be the hostname, FQDN, or user-defined name.",
"type": "string"
},
"id": {
"description": "Unique ID of the host.",
"type": "string"
},
"hostname": {
"description": "Hostname of the host.",
"type": "string"
},
"mac": {
"description": "MAC address of the host.",
"type": "string"
},
"type": {
"description": "Type of host.",
"type": "string"
},
"os": {
"type": "object",
"properties": {
"name": {
"description": "Name of the operating system, without the version.",
"type": "string"
},
"kernel": {
"description": "Kernel version of operating system as a raw string.",
"type": "string"
},
"platform": {
"description": "Operating system platform.",
"type": "string"
},
"type": {
"description": "Name of the operating system family.",
"type": "string",
"enum": [
"android",
"chromeos",
"ios",
"linux",
"macos",
"unix",
"windows"
]
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
},
"user": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the user.",
"type": "string"
},
"name": {
"description": "Short name or login name of the user.",
"type": "string"
},
"full_name": {
"description": "Full name of the user.",
"type": "string"
},
"email": {
"description": "Email address of the user.",
"type": "string"
},
"hash": {
"description": "Hash of the user.",
"type": "string"
},
"domain": {
"description": "Domain of the user. This is usually the domain of the user's email address.",
"type": "string"
},
"roles": {
"description": "The roles of the user at the time of the event.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"indicators": {
"description": "Threat indicators identified through enrichment, specific to a user.",
"type": "array",
"items": {
"type": [
"string"
]
}
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
},
"error": {
"type": "object",
"properties": {
"message": {
"description": "Error message.",
"type": "string"
},
"id": {
"description": "Unique ID of the error.",
"type": "string"
},
"type": {
"description": "The type or class of the error.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"event": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID to describe the event.",
"type": "string"
},
"code": {
"description": "Identification code for this event, if one exists.\nSome event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time.",
"type": "string"
},
"kind": {
"description": "`event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event.",
"type": "string",
"enum": [
"alert",
"event",
"synthetic",
"finding"
]
},
"category": {
"description": "Indicates the high-level categorization of an event.",
"type": "array",
"items": {
"type": [
"string"
],
"enum": [
"authentication",
"configuration",
"file",
"malware"
]
}
},
"action": {
"description": "The action captured by the event.",
"type": "string",
"enum": [
"accept_invite",
"accept_message",
"accept_session",
"accept_tos",
"access_app",
"access_webhook",
"add_app",
"add_device",
"add_domain",
"add_key",
"add_label",
"add_mfa",
"add_permission",
"add_policy",
"add_resource",
"add_role",
"add_rule",
"add_team",
"add_user",
"add_workflow",
"alert_api",
"alert_device",
"alert_event",
"alert_mfa",
"alert_policy",
"alert_resource",
"alert_rule",
"alert_user",
"allow_issue",
"approve_access",
"approve_app",
"approve_resource",
"approve_request",
"approve_token",
"approve_user",
"approve_workflow",
"archive_key",
"archive_resource",
"archive_rule",
"archive_user",
"assign_issue",
"authenticate_app",
"authenticate_user",
"await_resource",
"block_session",
"block_user",
"canary",
"cancel_review",
"cancel_sponsorship",
"cancel_workflow",
"change_mfa",
"close_issue",
"close_project",
"close_request",
"close_review",
"complete_task",
"complete_workflow",
"connect_app",
"connect_user",
"copy_key",
"copy_resource",
"create_account",
"create_advisory",
"create_api",
"create_app",
"create_branch",
"create_code",
"create_comment",
"create_csr",
"create_deployment",
"create_event",
"create_exception",
"create_fork",
"create_group",
"create_index",
"create_issue",
"create_key",
"create_label",
"create_metadata",
"create_mfa",
"create_organization",
"create_package",
"create_password",
"create_permission",
"create_policy",
"create_project",
"create_request",
"create_resource",
"create_role",
"create_rule",
"create_setting",
"create_share",
"create_sponsorship",
"create_task",
"create_team",
"create_token",
"create_user",
"create_webhook",
"create_workflow",
"delete_account",
"delete_advisory",
"delete_alert",
"delete_app",
"delete_branch",
"delete_certificate",
"delete_code",
"delete_comment",
"delete_exception",
"delete_group",
"delete_index",
"delete_issue",
"delete_key",
"delete_label",
"delete_metadata",
"delete_organization",
"delete_package",
"delete_permission",
"delete_policy",
"delete_project",
"delete_request",
"delete_resource",
"delete_role",
"delete_rule",
"delete_setting",
"delete_task",
"delete_team",
"delete_token",
"delete_user",
"delete_webhook",
"delete_workflow",
"demote_role",
"deny_access",
"deny_invite",
"deny_request",
"disable_account",
"disable_app",
"disable_device",
"disable_license",
"disable_mfa",
"disable_permission",
"disable_policy",
"disable_resource",
"disable_rule",
"disable_setting",
"disable_user",
"disable_webhook",
"disable_workflow",
"disconnect_app",
"disconnect_user",
"dismiss_advisory",
"download_resource",
"download_token",
"elevate_permission",
"elevate_role",
"enable_account",
"enable_api",
"enable_app",
"enable_device",
"enable_license",
"enable_mfa",
"enable_permission",
"enable_policy",
"enable_resource",
"enable_rule",
"enable_setting",
"enable_user",
"enable_webhook",
"enable_workflow",
"end_resource",
"end_session",
"end_task",
"enroll_certificate",
"enroll_mfa",
"evaluate_policy",
"evaluate_token",
"execute_app",
"execute_command",
"execute_policy",
"execute_request",
"execute_resource",
"execute_rule",
"execute_task",
"execute_workflow",
"expire_exception",
"expire_invite",
"expire_mfa",
"expire_password",
"expire_request",
"expire_session",
"expire_token",
"favorite_resource",
"follow_resource",
"get_token",
"ignore_issue",
"impersonate_user",
"import_account",
"import_group",
"import_resource",
"import_user",
"install_app",
"invite_user",
"issue_certificate",
"lock_account",
"lock_issue",
"lock_resource",
"lock_user",
"login_user",
"logout_user",
"mitigate_advisory",
"move_issue",
"move_resource",
"notify_issue",
"notify_mfa",
"notify_workflow",
"open_issue",
"open_project",
"pin_issue",
"preview_resource",
"print_resource",
"privatize_resource",
"publicize_resource",
"publish_code",
"publish_csr",
"publish_resource",
"push_commit",
"query_api",
"query_resource",
"read_account",
"read_audit",
"read_config",
"read_device",
"read_group",
"read_label",
"read_metadata",
"read_password",
"read_permission",
"read_policy",
"read_resource",
"read_role",
"read_rule",
"read_schema",
"read_setting",
"read_share",
"read_task",
"read_user",
"reject_tos",
"remove_app",
"remove_device",
"remove_domain",
"remove_group",
"remove_label",
"remove_license",
"remove_mfa",
"remove_permission",
"remove_policy",
"remove_resource",
"remove_role",
"remove_rule",
"remove_team",
"remove_user",
"request_access",
"request_advisory",
"request_authorization",
"request_review",
"request_task",
"request_token",
"reset_password",
"restore_resource",
"revoke_access",
"revoke_api",
"revoke_app",
"revoke_certificate",
"revoke_csr",
"revoke_token",
"revoke_user",
"send_healthcheck",
"send_heartbeart",
"share_resource",
"share_screen",
"start_resource",
"start_session",
"start_task",
"submit_review",
"suspend_app",
"synchronize_account",
"synchronize_device",
"synchronize_group",
"synchronize_resource",
"synchronize_task",
"synchronize_user",
"transfer_owner",
"unarchive_resource",
"unassign_issue",
"unblock_user",
"unenroll_mfa",
"unfavorite_resource",
"unfollow_resource",
"uninstall_app",
"unknown",
"unlock_account",
"unpublish_code",
"unlock_issue",
"unlock_resource",
"unlock_token",
"unlock_user",
"unpin_issue",
"unshare_resource",
"unsuspend_app",
"update_access",
"update_account",
"update_advisory",
"update_alert",
"update_api",
"update_app",
"update_authentication",
"update_certificate",
"update_code",
"update_comment",
"update_device",
"update_group",
"update_index",
"update_issue",
"update_key",
"update_label",
"update_metadata",
"update_mailbox",
"update_organization",
"update_package",
"update_password",
"update_permission",
"update_policy",
"update_project",
"update_resource",
"update_request",
"update_review",
"update_role",
"update_rule",
"update_session",
"update_setting",
"update_share",
"update_sponsorship",
"update_status",
"update_task",
"update_team",
"update_token",
"update_user",
"update_webhook",
"update_workflow",
"upgrade_app",
"upload_resource",
"upload_token",
"verify_device",
"verify_group",
"verify_mfa",
"verify_resource",
"verify_user",
"verify_webhook"
]
},
"outcome": {
"description": "The outcome describes whether an event action succeeded or failed.",
"type": "string",
"enum": [
"success",
"failure",
"unknown"
]
},
"type": {
"description": "Indicates the type of event. This is a subcategory of `event.category`.",
"type": "array",
"items": {
"type": [
"string"
],
"enum": [
"access",
"admin",
"change",
"end",
"info",
"start",
"creation",
"deletion"
]
}
},
"module": {
"description": "Module of the event. This is usually a specific product or plugin of the monitored service.",
"type": "string"
},
"dataset": {
"description": "The dataset of the event as presented by the SaaS platform. This is distinct from AppOmni datasets which reside under `appomni.event.dataset`.",
"type": "string"
},
"provider": {
"description": "Source of the event. This may be the API endpoint or operating system that generated the event.",
"type": "string"
},
"severity": {
"description": "The numeric severity of the event according to the source.",
"type": "integer"
},
"original": {
"description": "The raw event in it's original form.",
"type": "string"
},
"duration": {
"description": "Duration of the event. If `event.start` and `event.end` are known this value should be the difference between the end and start time.",
"type": "integer"
},
"sequence": {
"description": "Sequence number of the event. Sequence numbering is used to ensure the order of events is known, regardless of the timestamp.",
"type": "integer"
},
"created": {
"description": "Date/time when the event was reported as created in the monitored service.",
"type": "string"
},
"start": {
"description": "Date/time when the event started or when the activity was first observed.",
"type": "string"
},
"end": {
"description": "Date/time when the event ended or when the activity was last observed.",
"type": "string"
},
"risk_score": {
"description": "Risk score of the event, as provided by the original source.",
"type": "number"
},
"risk_score_norm": {
"description": "Normalized risk score of the event, on a scale of 0 to 100.",
"type": "number"
},
"ingested": {
"description": "Date/time when the event arrived in AppOmni's data store.",
"type": "string"
},
"reference": {
"description": "URL to reference information about this event.",
"type": "string"
},
"url": {
"description": "URL to an external source to continue investigation of this event.",
"type": "string"
},
"reason": {
"description": "Reason this event happened, according to the source.",
"type": "string"
},
"ueba": {
"type": "object",
"properties": {
"anomalous_fields": {
"description": "Details of the anomalous fields of the event.\n",
"type": "object"
},
"normal_state": {
"description": "Normal state values of the anomalous fields.\n",
"type": "object"
},
"rare_state": {
"description": "Rare state values of the anomalous fields.\n",
"type": "object"
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
},
"file": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the file. This value should be duplicated to `resource.id`.",
"type": "string"
},
"name": {
"description": "Name of the file. This value should be duplicated to `resource.name`.",
"type": "string"
},
"directory": {
"description": "Directory where the file is located. It should include the drive letter if applicable.",
"type": "string"
},
"path": {
"description": "Full path to the file, including the file name.",
"type": "string"
},
"extension": {
"description": "File extension, excluding the leading dot.",
"type": "string"
},
"size": {
"description": "File size in bytes.",
"type": "integer"
},
"hash": {
"description": "Hash of the file. Value may be the result of any hashing algorithm.",
"type": "string"
},
"created": {
"description": "Date/time the file was created.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"policy": {
"type": "object",
"properties": {
"name": {
"description": "Name of the policy.",
"type": "string"
},
"id": {
"description": "Unique ID of the policy.",
"type": "string"
},
"category": {
"description": "Indicates the high-level categorization of a policy.",
"type": "string"
},
"description": {
"description": "Brief explanation of the purpose of the policy.",
"type": "string"
},
"outcome": {
"description": "Outcome of a policy evaluation on an audited action.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"related": {
"type": "object",
"properties": {
"ip": {
"description": "IP addresses related to an event (IPv4 or IPv6.)",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"user": {
"description": "Users related to an event.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"hash": {
"description": "Hashes related to an event. Values may be the result of any hashing algorithm.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"host": {
"description": "Hosts related to an event. Values may be the hostname, FQDN, or user-defined name.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"resource": {
"description": "Resources related to an event.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"event": {
"description": "Event IDs related to an event. Reflecting the AppOmni Event ID from `appomni.event.id`.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"identity": {
"description": "Identity IDs related to an event.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"services": {
"type": "object",
"properties": {
"id": {
"description": "AppOmni Service IDs related to an event.",
"type": "array",
"items": {
"type": [
"integer"
]
}
},
"name": {
"description": "AppOmni Service Names related to an event.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"type": {
"description": "AppOmni Service Types related to an event.",
"type": "array",
"items": {
"type": [
"string"
]
}
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
},
"resource": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the resource.",
"type": "string"
},
"name": {
"description": "Name of the resource.",
"type": "string"
},
"type": {
"description": "Indicates the type of resource. The most descriptive type should be used to define a resource. For example, a file containing a report should have the `resource.type` of `report` rather than `file`.",
"type": "string",
"enum": [
"application",
"code",
"comment",
"credential",
"datastore",
"destination",
"device",
"email",
"file",
"folder",
"group",
"issue",
"list",
"organization",
"page",
"policy",
"project",
"record",
"report",
"repository",
"role",
"rule",
"shortcut",
"space",
"table",
"tag",
"task",
"unknown",
"user"
]
},
"count": {
"description": "Number of items in the resource.",
"type": "integer"
},
"owner": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the user.",
"type": "string"
},
"name": {
"description": "Short name or login name of the user.",
"type": "string"
},
"full_name": {
"description": "Full name of the user.",
"type": "string"
},
"email": {
"description": "Email address of the user.",
"type": "string"
},
"hash": {
"description": "Hash of the user.",
"type": "string"
},
"domain": {
"description": "Domain of the user. This is usually the domain of the user's email address.",
"type": "string"
},
"roles": {
"description": "The roles of the user at the time of the event.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"indicators": {
"description": "Threat indicators identified through enrichment, specific to a user.",
"type": "array",
"items": {
"type": [
"string"
]
}
}
},
"required": [],
"additionalProperties": false
},
"parent": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the resource.",
"type": "string"
},
"name": {
"description": "Name of the resource.",
"type": "string"
},
"type": {
"description": "Indicates the type of resource. The most descriptive type should be used to define a resource. For example, a file containing a report should have the `resource.type` of `report` rather than `file`.",
"type": "string",
"enum": [
"application",
"code",
"comment",
"credential",
"datastore",
"destination",
"device",
"email",
"file",
"folder",
"group",
"issue",
"list",
"organization",
"page",
"policy",
"project",
"record",
"report",
"repository",
"role",
"rule",
"shortcut",
"space",
"table",
"tag",
"task",
"unknown",
"user"
]
},
"count": {
"description": "Number of items in the resource.",
"type": "integer"
},
"owner": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the user.",
"type": "string"
},
"name": {
"description": "Short name or login name of the user.",
"type": "string"
},
"full_name": {
"description": "Full name of the user.",
"type": "string"
},
"email": {
"description": "Email address of the user.",
"type": "string"
},
"hash": {
"description": "Hash of the user.",
"type": "string"
},
"domain": {
"description": "Domain of the user. This is usually the domain of the user's email address.",
"type": "string"
},
"roles": {
"description": "The roles of the user at the time of the event.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"indicators": {
"description": "Threat indicators identified through enrichment, specific to a user.",
"type": "array",
"items": {
"type": [
"string"
]
}
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
},
"rule": {
"type": "object",
"properties": {
"uuid": {
"description": "Unique UUID of the rule.",
"type": "string"
},
"version": {
"description": "Version of the rule.",
"type": "string"
},
"name": {
"description": "Name of the rule.",
"type": "string"
},
"vendor_id": {
"description": "Unique ID of a vendor rule external to AppOmni.",
"type": "string"
},
"description": {
"description": "Brief explanation of what event(s) occurred and the intent/goal of the threat actor.",
"type": "string"
},
"category": {
"description": "Indicates the high-level categorization of the rule.",
"type": "string"
},
"ruleset": {
"description": "Name of the ruleset for which the rule is assigned.",
"type": "string"
},
"reference": {
"description": "URL to reference information about the rule.",
"type": "string"
},
"author": {
"description": "Name, organization, or author(s) who created the rule.",
"type": "string"
},
"license": {
"description": "Name of the license in which the rule is made available.",
"type": "string"
},
"threat": {
"type": "object",
"properties": {
"framework": {
"description": "Name of the threat framework used to classify the tactic and technique of a threat.",
"type": "string"
},
"tactic": {
"type": "object",
"properties": {
"id": {
"description": "ID of the tactic.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"name": {
"description": "Name of the tactic.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"reference": {
"description": "URL to reference information about the tactic.",
"type": "array",
"items": {
"type": [
"string"
]
}
}
},
"required": [],
"additionalProperties": false
},
"technique": {
"type": "object",
"properties": {
"id": {
"description": "ID of the technique.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"name": {
"description": "Name of the technique.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"reference": {
"description": "URL to reference information about the technique.",
"type": "array",
"items": {
"type": [
"string"
]
}
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
},
"service": {
"type": "object",
"properties": {
"name": {
"description": "Name of the service as provided by the service provider.",
"type": "string"
},
"id": {
"description": "ID of service as provided by the service provider.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"session": {
"type": "object",
"properties": {
"kind": {
"description": "Description of the privilege level associated with a session, or how a session was established.",
"type": "string"
},
"id": {
"description": "Unique ID of the session.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"source": {
"type": "object",
"properties": {
"address": {
"description": "The raw address of the source. This value should be duplicated to `source.ip` or `source.domain`, depending on which one applies.",
"type": "string"
},
"ip": {
"description": "IP address of the source (IPv4 or IPv6.)",
"type": "string"
},
"port": {
"description": "Port of the source.",
"type": "integer"
},
"mac": {
"description": "MAC address of the source.",
"type": "string"
},
"domain": {
"description": "The domain name of the source. This value can be a host name or FQDN.",
"type": "string"
},
"indicators": {
"description": "Threat indicators identified through enrichment, specific to a source.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"as": {
"type": "object",
"properties": {
"country": {
"description": "ISO 3166 country code.",
"type": "string"
},
"domain": {
"description": "Domain name of the AS.",
"type": "string"
},
"number": {
"description": "Unique number assigned to the autonomous system.",
"type": "integer"
},
"type": {
"description": "AS type.",
"type": "string"
},
"service": {
"description": "Name of the IP privacy service provider.",
"type": "string"
},
"organization": {
"type": "object",
"properties": {
"name": {
"description": "Name of the organization.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
},
"geo": {
"type": "object",
"properties": {
"location": {
"description": "Longitude and latitude.",
"type": "object"
},
"continent_code": {
"description": "Two-letter code representing continent\u2019s name.",
"type": "string",
"enum": [
"AF",
"AN",
"AS",
"EU",
"NA",
"OC",
"SA"
]
},
"continent_name": {
"description": "Name of the continent.",
"type": "string",
"enum": [
"Africa",
"Antarctica",
"Asia",
"Europe",
"North America",
"Oceania",
"South America"
]
},
"country_name": {
"description": "Name of the country.",
"type": "string"
},
"region_name": {
"description": "Name of the region or state.",
"type": "string"
},
"city_name": {
"description": "Name of the city.",
"type": "string"
},
"country_iso_code": {
"description": "ISO code of the country.",
"type": "string"
},
"postal_code": {
"description": "Postal code or ZIP code associated with the location. This value will vary depending on the country.",
"type": "string"
},
"region_iso_code": {
"description": "ISO code of the region or state.",
"type": "string"
},
"timezone": {
"description": "IANA timezone name of the location.",
"type": "string"
},
"name": {
"description": "Description of the specific location, such as an office name or floor number.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"host": {
"type": "object",
"properties": {
"name": {
"description": "Name of the host. This value can be the hostname, FQDN, or user-defined name.",
"type": "string"
},
"id": {
"description": "Unique ID of the host.",
"type": "string"
},
"hostname": {
"description": "Hostname of the host.",
"type": "string"
},
"mac": {
"description": "MAC address of the host.",
"type": "string"
},
"type": {
"description": "Type of host.",
"type": "string"
},
"os": {
"type": "object",
"properties": {
"name": {
"description": "Name of the operating system, without the version.",
"type": "string"
},
"kernel": {
"description": "Kernel version of operating system as a raw string.",
"type": "string"
},
"platform": {
"description": "Operating system platform.",
"type": "string"
},
"type": {
"description": "Name of the operating system family.",
"type": "string",
"enum": [
"android",
"chromeos",
"ios",
"linux",
"macos",
"unix",
"windows"
]
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
},
"user": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the user.",
"type": "string"
},
"name": {
"description": "Short name or login name of the user.",
"type": "string"
},
"full_name": {
"description": "Full name of the user.",
"type": "string"
},
"email": {
"description": "Email address of the user.",
"type": "string"
},
"hash": {
"description": "Hash of the user.",
"type": "string"
},
"domain": {
"description": "Domain of the user. This is usually the domain of the user's email address.",
"type": "string"
},
"roles": {
"description": "The roles of the user at the time of the event.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"indicators": {
"description": "Threat indicators identified through enrichment, specific to a user.",
"type": "array",
"items": {
"type": [
"string"
]
}
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
},
"space": {
"type": "object",
"properties": {
"name": {
"description": "Name or title of the space.",
"type": "string"
},
"id": {
"description": "Unique ID of the space.",
"type": "string"
},
"category": {
"description": "Indicates the high-level categorization of the space.",
"type": "string",
"enum": [
"channel",
"meeting",
"workspace"
]
}
},
"required": [],
"additionalProperties": false
},
"user": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the user.",
"type": "string"
},
"name": {
"description": "Short name or login name of the user.",
"type": "string"
},
"full_name": {
"description": "Full name of the user.",
"type": "string"
},
"email": {
"description": "Email address of the user.",
"type": "string"
},
"hash": {
"description": "Hash of the user.",
"type": "string"
},
"domain": {
"description": "Domain of the user. This is usually the domain of the user's email address.",
"type": "string"
},
"roles": {
"description": "The roles of the user at the time of the event.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"indicators": {
"description": "Threat indicators identified through enrichment, specific to a user.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"changes": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the user.",
"type": "string"
},
"name": {
"description": "Short name or login name of the user.",
"type": "string"
},
"full_name": {
"description": "Full name of the user.",
"type": "string"
},
"email": {
"description": "Email address of the user.",
"type": "string"
},
"hash": {
"description": "Hash of the user.",
"type": "string"
},
"domain": {
"description": "Domain of the user. This is usually the domain of the user's email address.",
"type": "string"
},
"roles": {
"description": "The roles of the user at the time of the event.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"indicators": {
"description": "Threat indicators identified through enrichment, specific to a user.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"group": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID for the group on the system.",
"type": "string"
},
"name": {
"description": "Name of the group.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"identity": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the identity.",
"type": "string"
},
"full_name": {
"description": "Display name of the identity.",
"type": "string"
},
"email": {
"description": "Email address of the identity.",
"type": "string"
},
"elevated": {
"description": "Indicates whether an identity has elevated privileges.",
"type": "boolean"
},
"admin": {
"description": "Indicates whether an identity has administrative privileges.",
"type": "boolean"
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
},
"effective": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the user.",
"type": "string"
},
"name": {
"description": "Short name or login name of the user.",
"type": "string"
},
"full_name": {
"description": "Full name of the user.",
"type": "string"
},
"email": {
"description": "Email address of the user.",
"type": "string"
},
"hash": {
"description": "Hash of the user.",
"type": "string"
},
"domain": {
"description": "Domain of the user. This is usually the domain of the user's email address.",
"type": "string"
},
"roles": {
"description": "The roles of the user at the time of the event.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"indicators": {
"description": "Threat indicators identified through enrichment, specific to a user.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"group": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID for the group on the system.",
"type": "string"
},
"name": {
"description": "Name of the group.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"identity": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the identity.",
"type": "string"
},
"full_name": {
"description": "Display name of the identity.",
"type": "string"
},
"email": {
"description": "Email address of the identity.",
"type": "string"
},
"elevated": {
"description": "Indicates whether an identity has elevated privileges.",
"type": "boolean"
},
"admin": {
"description": "Indicates whether an identity has administrative privileges.",
"type": "boolean"
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
},
"group": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID for the group on the system.",
"type": "string"
},
"name": {
"description": "Name of the group.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"identity": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the identity.",
"type": "string"
},
"full_name": {
"description": "Display name of the identity.",
"type": "string"
},
"email": {
"description": "Email address of the identity.",
"type": "string"
},
"elevated": {
"description": "Indicates whether an identity has elevated privileges.",
"type": "boolean"
},
"admin": {
"description": "Indicates whether an identity has administrative privileges.",
"type": "boolean"
}
},
"required": [],
"additionalProperties": false
},
"target": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the user.",
"type": "string"
},
"name": {
"description": "Short name or login name of the user.",
"type": "string"
},
"full_name": {
"description": "Full name of the user.",
"type": "string"
},
"email": {
"description": "Email address of the user.",
"type": "string"
},
"hash": {
"description": "Hash of the user.",
"type": "string"
},
"domain": {
"description": "Domain of the user. This is usually the domain of the user's email address.",
"type": "string"
},
"roles": {
"description": "The roles of the user at the time of the event.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"indicators": {
"description": "Threat indicators identified through enrichment, specific to a user.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"group": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID for the group on the system.",
"type": "string"
},
"name": {
"description": "Name of the group.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"identity": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the identity.",
"type": "string"
},
"full_name": {
"description": "Display name of the identity.",
"type": "string"
},
"email": {
"description": "Email address of the identity.",
"type": "string"
},
"elevated": {
"description": "Indicates whether an identity has elevated privileges.",
"type": "boolean"
},
"admin": {
"description": "Indicates whether an identity has administrative privileges.",
"type": "boolean"
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
},
"user_agent": {
"type": "object",
"properties": {
"name": {
"description": "Name of the user agent.",
"type": "string"
},
"original": {
"description": "Original, unparsed user agent string.",
"type": "string"
},
"version": {
"description": "Version of the user agent.",
"type": "string"
},
"os": {
"type": "object",
"properties": {
"name": {
"description": "Name of the operating system, without the version.",
"type": "string"
},
"kernel": {
"description": "Kernel version of operating system as a raw string.",
"type": "string"
},
"platform": {
"description": "Operating system platform.",
"type": "string"
},
"type": {
"description": "Name of the operating system family.",
"type": "string",
"enum": [
"android",
"chromeos",
"ios",
"linux",
"macos",
"unix",
"windows"
]
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
},
"ao_qa": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"ao": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"asana": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"auth0": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"bitbucket": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"box": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"confluence": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"crowdstrike": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"custom": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"databricks": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"docusign": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"duo": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"fastly": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"github": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"gsuite": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"hubspot": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"imanage": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"jamf": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"jira": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"jumpcloud": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"lucid": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"miro": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"mongo": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"monday": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"multiple": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"netsuite": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"notion": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"o365": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"okta": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"onelogin": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"ping": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"sapsf": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"sfdc": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"sfmc": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"slack": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"sendgrid": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"smartsheet": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"snow": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"snowflake": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"stripe": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"tableau": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"veevavault": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"webex": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"wiz": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"workday": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"zendesk": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"zoom": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
}
},
"required": [
"@timestamp",
"version",
"appomni"
],
"additionalProperties": false,
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "ACES.json",
"title": "AppOmni Common Event Schema",
"description": "TBD"
}